XSRF/CRSF attacks - auto url append?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
foobaa
Forum Commoner
Posts: 40
Joined: Tue Feb 13, 2007 10:36 am

XSRF/CRSF attacks - auto url append?

Post by foobaa »

Hiya,

I'm trying to implement the highest possible security in my web app without using SSL, and of course anyone knowledgeable in this area would know that XSRF/CRSF attacks are a potential weakness.

Lots of sites with info suggest using an extra field on form submissions etc. However, this is cumbersome if applying to about 20 web forms. Is there a way of avoiding cluttering all my pages/views with this? I was thinking of a simple include file / ini setting / .htaccess file which will "do it's stuff" on the querystring, whatever this may be?

Sorry for my vagueness, I have some trouble getting my head round every possible kind of attack, but I hope I'm asking the right question!

Thanks!

PS some resources which have helped educate me but not provided an elegant solution:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://www.codewalkers.com/c/a/Miscella ... cations/1/
http://phpsec.org/projects/guide/2.html
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: XSRF/CRSF attacks - auto url append?

Post by Mordred »

SSL will not stop CSRF.
Try Shiflett: http://shiflett.org/articles/cross-site ... -forgeries

Edit: Ah, I read your links - they suggest basically the same thing.
foobaa
Forum Commoner
Posts: 40
Joined: Tue Feb 13, 2007 10:36 am

Re: XSRF/CRSF attacks - auto url append?

Post by foobaa »

Thanks Mordred -

The link you provided seemed to have a suggestion I didn't see in the others - make sure to only process POST data not REQUEST/GET. This is what I'll focus on for a temporary solution until I can figure out how someone might go about an advanced CSRF attack.

Although if anyone knows an equally simple solution that covers more ground I'd love to hear it!

Thanks again
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: XSRF/CRSF attacks - auto url append?

Post by Mordred »

On the contrary, there is (almost) no practical difference between using GET, POST or REQUEST, and I think Shiflett was speaking something in that vein. Single-use tokens is the way to go.
Post Reply