Geek Answers Handbook

Protecting Registration Forms and Comments from CSRF

I read a lot of articles on CSRF protection ( this is a good option ) and various questions here on SO, but none of them seem informative enough to answer my question.

I am developing my own CMS and I want to protect my login and comment forms. I will allow anonymous users to comment on my site.

All forms on my site are protected with tokens. I already know about this approach, but the problem is that it needs an active session (that is, after the user logs in). The problem with login and comment formats is that they are accessible to everyone and do not require login - what would be the best protection against CSRF in this case?

In the above link, I read that when trying to log into the system and then switching to the usual anti-CSRF methods (for example, assigning a token to a user session), “pre-season” time can be created, but I don’t understand how to do it.

The referrer header is a weak solution, so I think I should not worry. The Origin header, as far as I tested, is only supported on Google Chrome. What about custom headers? XMLHTTPRequest seems like an opportunity, but I spent literally more than three hours searching Google for some information on how to implement this kind of security measure on my website. But even if I could use a custom header, doesn't it make it useless, as HTTP headers can be completely fake?

So the question is: how do I protect my login and comment forms from CSRF?

Edit: here is more information from the link above:

We recommend strict Referer validation to protect against CSRF login because login forms are usually submitted via HTTPS, where the Referer header is reliably present for legitimate requests. If the login request is missing the Referer header, the site should reject the request for protection against malicious suppression.

and

Secret verification tokens can protect against CSRF logging in, but developers often forget to implement security because there is no session before logging in to bind the CSRF token. To use secret tokens verification to protect against entering the CSRF system, the site must first create a "presession", implement CSRF protection based on tokens, and then switch to a real session after successful authentication.

I just can't put an end to this argument after reading the quotes above. One of them mentions the use of the referrer header, but I'm not quite sure if this really adds much to webapp security.

Edit 2: How to use CAPTCHA?

+6
source share
4 answers

The problem with CSRF is that someone is using the registered user credentials to send something. This is very problematic because a malicious site can do things like anyone who was just browsing your site. If you are talking about forms that can be used as anonymous, without logging in, there is much less risk of CSRF, since it’s much less from publishing a form from another site - since everyone can do it directly and with the same permissions.

So, I don’t understand why CSRF protection is needed for unwritten forms.

If you want it, the pre-season token can be technically similar to a real session, but just easier. In fact, it will not contain anything other than the generated token.

EDIT: about using the $ _SESSION provided by PHP for the preseason token, this standard PHP session mechanism. If you want to use it, then yes, it is about him.

However, you are not forced to do it this way, and I personally will not do it the way it consumes server memory for all visitors, and it really is not necessary. For a more efficient mechanism, you basically need: a) a cookie identifying the user, and b) something stored on the server side indicates that the cookie is valid (and, if necessary, for whom it is valid, which means ip). For a more balanced approach, you can simply create a token, save it in a cookie and generate something that matches this token in the form as a hidden field, and match the ones in the submit (as Devesh explained). The latter would prevent the transfer of forms from another site, the former would prevent even the case when a malicious site searches your site and tries to set cookies for the end user. So, there are three approaches that I can think of:

  • just prevent image requests from other sites - using POST prevents this.
  • prohibit form submission from another site - creating a hidden field corresponding to the cookie prevents this.
  • to prohibit the submission of the form from another site that performs a preliminary search on your site - this will require checking the IP address, something is stored on the server side, for example, ip in the database corresponding to the cookie

EDIT 2: In the case of captchas, the main purpose of their use is to prevent attempts to enter the system (brute force). They would also fix the problem with CSRF requests in login forms, but that is too much for them. To prevent brute-force attacks, they may be needed in some cases, although there may be something more user-friendly so as not to impair usability too much. Maybe something like KittenAuth :)

+3
source

You cannot really protect the anonymous form from CSRF. Just because another site can act like a regular user. I can just create a website that makes curl request anonymous form, and store cookies and tokens in variables. And then make a second request to submit the form. The script doesn’t really fake the request, it just publishes automatically.

The CSRF point should prevent the script / person from performing actions on behalf of another user. So I will try to publish as you. To prevent access to a session / cookie using a token, this is a good solution. Because I have no way to get your session and token if your site is not corrupted in other areas. I would suggest reading OWASP guidelines to get an idea of ​​what you should be looking for.

Another thing you should always do is to make sure that the “actions” are always with a POST request, so I can’t just put an image on your forum that links to “ http://www.yoursite.com/delete.” php? id = 10. If you enable the GET request and you open the page containing this image, I would fake the request. If you enable POST , this will not have any result.

0
source

I think you can solve a problem like CSRF by combining a hidden field added to your form and at the same time add the same value to the cookies and attach with the user response. When the user submits the form back, try matching the value of the hidden field and the cookie value coming from the request, if both match, you are good to go ...

0
source

The problem with CSRF is that someone is using the registered user credentials to send something. This is very problematic because a malicious site can do things like anyone who was just browsing your site. If you are talking about forms that can be used as anonymous, without logging in, there is much less risk of CSRF, since it’s much less from publishing a form from another site - since everyone can do it directly and with the same permissions.

So, I don’t understand why CSRF protection is needed for unwritten forms.

If you want it, the pre-season token can be technically similar to a real session, but just easier. In fact, it will not contain anything other than the generated token.

0
source

More articles:


All Articles