Announcement Announcement Module
Collapse
No announcement yet.
Protect your applications against CSRF attacks Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Protect your applications against CSRF attacks

    Cross-Site Request Forgery (CSRF) is an attack where a malicious site sends a request to a vulnerable site where the user is currently logged in

    Here is an example of a CSRF attack:
    1. A user logs into www.example.com, using forms authentication.
    2. The server authenticates the user. The response from the server includes an authentication cookie.
    3. Without logging out, the user visits a malicious web site. This malicious site contains the following HTML form:

    Code:
    <h1>You Are a Winner!</h1>
    <form action="http://example.com/api/account" method="post">
    <input type="hidden" name="Transaction" value="withdraw" />
    <input type="hidden" name="Amount" value="1000000" />
    <input type="submit" value="Click Me"/>
    </form>
    Notice that the form action posts to the vulnerable site, not to the malicious site. This is the "cross-site" part of CSRF.
    The user clicks the submit button. The browser includes the authentication cookie with the request.
    The request runs on the server with the user’s authentication context, and can do anything that an authenticated user is allowed to do.

    Although this example requires the user to click the form button, the malicious page could just as easily run a script that sends an AJAX request. Moreover, using SSL does not prevent a CSRF attack, because the malicious site can send an "https://" request.

    Typically, CSRF attacks are possible against web sites that use cookies for authentication, because browsers send all relevant cookies to the destination web site. However, CSRF attacks are not limited to exploiting cookies. For example, Basic and Digest authentication are also vulnerable. After a user logs in with Basic or Digest authentication. the browser automatically sends the credentials until the session ends.

    Let me show you how Yii Framework implements the protection against CSRF. To enable the protection, you have to set the CHttpRequest application component in your application configuration file (Usually we store the application configuration stuff in protected/config/main.php.) as follows,

    Code:
    return array(
    'components'=>array(
    'request'=>array(
    'enableCsrfValidation'=>true,
    ),
    ),
    );
    The CHttpRequest application component generates a unique value for the CSRF token with each HTTP request. When the object is created, the name and value of the token are set.

    After that, on displaying every forms, call CHtml::form instead of writing the HTML form tag directly. The CHtml::form method will embed the necessary random value in a hidden field so that it can be submitted for CSRF validation.

    To enable CRSF in Codeigniter Framework all you need to do is:

    Set the option to "TRUE" in the config file

    All your forms MUST use the form_open() helper function. Just convert all your forms to use form_open - and it will work seemlessly. This will automatically generate and include a 'hidden' CSRF token in your forms. Codeigniter will then automatically check this token on each form submission as part of the security funciton. If it detects a CSRF error, it will throw a 401 error automatically.

    In Laravel Framework, After inserting CSRF token into form, you just need to Validate the submitted CSRF token.

    Code:
    <input type="hidden" name="_token" value="<?php echo csrf_token(); ?>"> // Inserting CSRF token into form
    
    Route:Post('register', array('before' => 'csrf', function()
    {
    return 'You gave a valid CSRF token!';
    }));
    Happy coding.

    Have a nice day.
Working...
X