HP FutureSmart - Preventing cross site request forgery (CSRF) attack using CSRF-tokens (white paper)
5
CSRFToken in HTTP POST Requests
CSRFTokens are cryptographically random values generated by the printer’s web server. Further, these tokens are
unique to every EWS session.
The client must first fetch the token from the printer using an HTTP GET request. During the GET request the device
generates a SessionId (if not already included in GET request) and a mapping CSRFToken. The CSRFToken is included as a
hidden form value with tag CSRFToken. The client app must make use of the SessionId and the extracted CSRFToken
from the GET request in its HTTP POST request.
Start
(Frame HTTP
POST)
Has CSRF
Token
HTTP GET request on the
desired URL
Frame HTTP POST Request
with CSRF Token in HTML
Body
No
Yes
Extract CSRFToken from HTML
body
HTTP GET
Successful
SEND HTTP POST GO to FAILED