MY_Form_Validation w/ spam and CSRF protection |
[eluser]erik.brannstrom[/eluser]
[quote author="n0xie" date="1276006650"]The first thing to acknowledge is that in my experience, most people do destructive things often via GET. This is inherently wrong but you should emphasize this: never do anything destructive via GET, always use POST. I would like to make this point clear since your 'library' only deals with POST data. Your site would still be easily exploitable if you had url's like http://domain.tld/user/delete/12345 which would delete user 12345. Always keep this in mind when talking about CSRF: most people don't know how it works and assume a 'library' like this will magically protect their site against any form of CSRF attack. [/quote] I assumed anyone looking into using this extension would know that form validation works only on POST requests, but you are of course right. [quote author="n0xie" date="1276006650"]This has way too low entropy to be effective. If I know what my target's IP is (which I can read with javascript) and I know this is the algorithm used to generate the nonce (which would be pretty obvious if it was an open source CI project), I can easily generate a matching nonce since microtime returns the current timestamp. I just have to generate every timestamp for the next minute (since the IP doesn't change) and one of those will most likely generate a match especially since the field you use always has the name 'nonce'. Basically this gives you about 60 different nonces per minute (1 for each second) which is way too low. Any modern computer takes less than a second to calculate these 60 MD5 hashes.[/quote] Well, you are sort of right. I agree the entropy is too low and should include a more random element. Now correct me if I'm wrong, but microtime() does not only return the current timestamp as seconds since Jan 1st 1970, but also the microseconds (too be fair, it requires OS support for this, but I assume that's widespread). This means that for each second there are one million discrete time steps, which means for a full minute one would have to generate 60 million values. Thanks for your input! |
Welcome Guest, Not a member yet? Register Sign In |