I'm working on a 12+ year old Java Web application. It follows client's unique framework and not any of the industry standard framework! Recently an Appscan report was generated for the application, as per which this application is having highly critical security problems like it is prone to CSRF, SQL Injection etc.
Now I have to implement something purely in Java, without using any framework and get rid of this CSRF Attack. I did some google and came to know that we have to append a temporary token in the URL and then validate it. Is it the only way. I couldn't get much practical solutions.
Anyone experienced in dealing with such a scenario? Please Help me!
The best way to prevent CSRF attacks is to add a randomly generated token to every response rendered from the server. The token is than retrieved and checked in the next request received at the server.If the token does not match than there is possibility of CSRF attack.
Since you are using servlets , you can use servlet filter to achieve this functionality.You can write your CSRF token check functionality in doFilter(ServletRequest request, ServletResponse response) method.
Generally CSRF attacks related threats are resolved using some security framework like Spring Security .