Page 1 of 1

XSRF/CRSF attacks - auto url append?

Posted: Wed Feb 27, 2008 7:53 am
by foobaa
Hiya,

I'm trying to implement the highest possible security in my web app without using SSL, and of course anyone knowledgeable in this area would know that XSRF/CRSF attacks are a potential weakness.

Lots of sites with info suggest using an extra field on form submissions etc. However, this is cumbersome if applying to about 20 web forms. Is there a way of avoiding cluttering all my pages/views with this? I was thinking of a simple include file / ini setting / .htaccess file which will "do it's stuff" on the querystring, whatever this may be?

Sorry for my vagueness, I have some trouble getting my head round every possible kind of attack, but I hope I'm asking the right question!

Thanks!

PS some resources which have helped educate me but not provided an elegant solution:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://www.codewalkers.com/c/a/Miscella ... cations/1/
http://phpsec.org/projects/guide/2.html

Re: XSRF/CRSF attacks - auto url append?

Posted: Wed Feb 27, 2008 8:39 am
by Mordred
SSL will not stop CSRF.
Try Shiflett: http://shiflett.org/articles/cross-site ... -forgeries

Edit: Ah, I read your links - they suggest basically the same thing.

Re: XSRF/CRSF attacks - auto url append?

Posted: Wed Feb 27, 2008 10:09 am
by foobaa
Thanks Mordred -

The link you provided seemed to have a suggestion I didn't see in the others - make sure to only process POST data not REQUEST/GET. This is what I'll focus on for a temporary solution until I can figure out how someone might go about an advanced CSRF attack.

Although if anyone knows an equally simple solution that covers more ground I'd love to hear it!

Thanks again

Re: XSRF/CRSF attacks - auto url append?

Posted: Wed Feb 27, 2008 10:45 am
by Mordred
On the contrary, there is (almost) no practical difference between using GET, POST or REQUEST, and I think Shiflett was speaking something in that vein. Single-use tokens is the way to go.