CSRF prevention

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

CSRF prevention

Post by alex.barylski »

I familiarized myself with this exploit a long time ago but didn't really sit down to think about what the problem is and how it's solved.

I believe that many solutions revolve around generating a unique token and storing it in a hidden form field. This value is persisted in a SESSION or similar server side. When the form is submitted, the value POST'ed with the form is compared to the value in the SESSION and if they match, allow the action to continue, if not, it's a exploit attempt?

Do I understand the basic philosophy here?

It's to prevent people faking requests from other domains? Can you give me a few examples? As I understand, something like this might be an example:

1. User logs into real site/blog/etc.
2. User reads comments in forums
3. User sees interesting link and clicks
4. User redirected to hacker site with interesting blog
5. User sees another interesting link and clicks
6. This link is crafted to delete a record on the 'real' site in step 1

Because user redirected to hacker site without logging out first, the hacker site can issue delete, update, create requests and they will be executed as the original SESSION token is still valid

Is this the gist of the idea...how do you prevent deletion from occuring if executed via a simple GET link (user/delete/PKID) as opposed to a FORM submittion. Would you simply generate the token ID and inject it into the GET request as well similar to SESSION.

Cheers,
Alex
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: CSRF prevention

Post by josh »

Yes but it depends on a lot of things. Like if the attacker is able to use XSS to steal the CSRF id, it would be rendered useless. You're only as strong as your weakest point, but you have the general idea right.

An example could be the user viewing a page w/ an auto-posting form, or jscript that uses an ajax call, or inserting a crafted URL into an image src
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: CSRF prevention

Post by alex.barylski »

You're only as strong as your weakest point, but you have the general idea right
Agreed, but it`s not a core functionality, as it would be implemented as optional plugin for my framework, so if end users wanted that `little`bit of extra security, they could install it, like in Drupal or Joomla.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: CSRF prevention

Post by kaisellgren »

You have the basic idea.

Remember that CSRF can be (and often is) totally transparent. Accessing a site with HTML similar to

Code: Select all

<img src="ebay.com/buy.php?id=5&quantity=666&target=kai" />
could do lots of harm. So, logging into your favorite site, and visiting a random site found on Google may be all you need to do to become a victim.

This is not just about GET. You can use JavaScript to do POST requests as well. So any website you access, any link you click on your IM's, may issue a CSRF. Just hope the target site is protected against it. And as for protecting from it, all you need is to be sure that the action was indeed triggered by the user. Creating a random token and placing them into forms is a simple approach to protect from CSRF attacks. With GET, you can simply add one more parameter into the URI "&csrf=abcd" just like you thought.
josh wrote:Like if the attacker is able to use XSS to steal the CSRF id, it would be rendered useless. You're only as strong as your weakest point,
The point is true, but I'd like to add that an XSS vulnerability is more harmful than CSRF. Intruders can steal the credentials and do all actions on their own without using CSRF at all.
PCSpectra wrote:Agreed, but it`s not a core functionality, as it would be implemented as optional plugin for my framework, so if end users wanted that `little`bit of extra security, they could install it, like in Drupal or Joomla.
In my opinion, a CSRF defense is a must have.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: CSRF prevention

Post by josh »

kaisellgren wrote:
josh wrote:Like if the attacker is able to use XSS to steal the CSRF id, it would be rendered useless. You're only as strong as your weakest point,
The point is true, but I'd like to add that an XSS vulnerability is more harmful than CSRF. Intruders can steal the credentials and do all actions on their own without using CSRF at all.
Yeah, I was saying even if you are protected against CSRF, but you had an XSS hole, someone can exploit the XSS hole to defeat your CSRF, so even if you are using tokens you aren't necessarily protected, someone could inject javascript into the page that finds the CSRF id from the active session, and then builds the URL on the fly and then writes it in <img> tag
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: CSRF prevention

Post by alex.barylski »

kaisellgren wrote:In my opinion, a CSRF defense is a must have.
Hopefully more people feel that way, so they open their pockets and shell out money for security extensions. :P
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: CSRF prevention

Post by kaisellgren »

PCSpectra wrote:Hopefully more people feel that way, so they open their pockets and shell out money for security extensions. :P
I hope the source isn't revealed to anybody.Otherwise, it would be dead simple to exploit this vulnerability. :roll:
Post Reply