| CSRF Vulnerabilities and Code Igniter plugin |
[eluser]Unknown[/eluser]
Hey guys, We published four Cross-Site Request Forgery vulnerabilities today: http://www.freedom-to-tinker.com/blog/wz...ry-attacks ...and also a plugin for Code Igniter (php 5 only) that can automatically protect against these type of attacks. The CI plugin was written because Code Igniter is my framework of choice and I didn't see a plugin available. I've love to hear your feedback. Thanks! Best Regards, Bill Zeller
[eluser]Derek Allard[/eluser]
Hey Bill, thanks for sharing. I found your paper 2 days ago, but I've been on the road traveling and haven't fully digested it. Same now with this plugin, but I will get to it, and I want you to know we take csrf very seriously. Thanks for sharing, and great to see you here.
[eluser]xwero[/eluser]
If i understand it correctly CSRF depends on forms/requests using GET where a user has be logged in for. So if you don't assign critical actions to GET requests you are safe?
[eluser]Randy Casburn[/eluser]
No, the same methods can be use to hijack you session via POST under some conditions too. In fact, the very same techniques an be used to exploit unprotected XMLHttpRequest(AJAX) resources too.
[eluser]xwero[/eluser]
Let me put it in another perspective, if you disable javascript your are safe as it is because of malware infected browsers that make these attacks possible, right? How else can an attacker add an image with an evil url to a trusted site's html?
[eluser]johnwbaxter[/eluser]
Ah i'm glad i came across this! I've been looking into using tokens in my forms to prevent this and was getting round to implementing it this week. I'll be the first to admit that i'm too lazy to extend the helper, and was just going to do it per form. The method that you've used is identical to what i had decided on doing after extensive reading. Now you've aided my utter laziness by doing it for me! Thanks! If there is a voting system for something that should be included in the CI core then this has got my vote with bells on.
[eluser]Pascal Kriete[/eluser]
@Bill, Thanks for posting. @xwero, It's not infected browsers that make these attacks possible. It's insecure sites. If any site you visit has a xss vulnerability (and there are a lot of them), then someone can use that hole to forge a request to any other site. In this case you're safe if javascript is turned off, yes. But there are other ways to forge requests. Flash, for example, can make cross site requests (limited by crossdomain.xml, but i've seen large sites that just set it to * ). YouTube example. Here the attacker isn't limited to GET. Protecting yourself is important, but as a developer you can't expect everyone who uses your site to have js turned off  .
[eluser]xwero[/eluser]
Out of Inparo's information i understand the base of a CSRF attack is bad input control and the hacker has to have social hacking skills to attract people in using his malware.
[eluser]Jay Turley[/eluser]
Just found this through an article on darkreading.com. Great job and thanks a ton for the plugin!!
[eluser]bevans[/eluser]
EDIT: THIS IS WORKING NOW... (WORKING ON LOCALHOST AT THIS TIME.) THE PROBLEM WHY IT WAS NOT WORKING: THE PARAMTERS FOR THE SETCOOKIE FUNCTION WERE NOT CORRECT. I CHANGED THE PARAMETERS AND NOW IT WORKS. On line 90 of MY_Input.php Changed from this: setcookie('ci_token', $ci_token, time()+$this->CSRF_expire, '/', $domain); TO THIS: setcookie('ci_token', $ci_token, time()+$this->CSRF_expire, "/", "", "0"); [quote author="BIll Zeller" date="1222748003"]Hey guys, ...and also a plugin for Code Igniter (php 5 only) that can automatically protect against these type of attacks. The CI plugin was written because Code Igniter is my framework of choice and I didn't see a plugin available. I've love to hear your feedback. Thanks! Best Regards, Bill Zeller[/quote] Thanks for the plugin... I am having troubles getting it to work with Code Igniter 1.7 Any ideas or suggestions from anyone as to why it is not working? I should specify the problem. It is not setting the ci_token cookie. It is getting down through the code and hits the setcookie()function, but the cookie is not setting. Looking at code all day... probably just something simple, but I am not seeing the problem. Any suggestions? Thanks in advance. bevans |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
