Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Security Class - csrf check vulnerability?
Security Class - csrf check vulnerability?
  • El Forum
    Guest
  •  
#1
01-09-2012, 11:07 PM

[eluser]Unknown[/eluser]
Hello,

Check this snippet:
Code:
public function csrf_verify(){

// If no POST data exists we will set the CSRF cookie
if (count($_POST) == 0)
{
    return $this->csrf_set_cookie();
}

// Do the tokens exist in both the _POST and _COOKIE arrays?
if ( ! isset($_POST[$this->_csrf_token_name]) OR
         ! isset($_COOKIE[$this->_csrf_cookie_name]))
{
    $this->csrf_show_error();
}

// Do the tokens match?

if ($_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])
{
    $this->csrf_show_error();
}

// We kill this since we're done and we don't want to
// polute the _POST array
unset($_POST[$this->_csrf_token_name]);

// Nothing should last forever
unset($_COOKIE[$this->_csrf_cookie_name]);
$this->_csrf_set_hash();
$this->csrf_set_cookie();

log_message('debug', "CSRF token verified ");

return $this;
}

I believe there's a vulnerability with this code, which looks like it's doing session independent nonce check, has no protection for MITM attack.

Please check this link: https://code.djangoproject.com/wiki/Csrf...ndentnonce

Quote:The attacker can set the CSRF cookie using Set-Cookie, and then supply a matching token in the POST form data. Since the site does not tie the session cookies to the CSRF cookies, it has no way of determining that the CSRF token + cookie are genuine (doing hashing etc. of one of them will not work, as the attacker can just get a valid pair from the site directly, and use that pair in the attack).
  • El Forum
    Guest
  •  
#2
09-11-2012, 02:53 PM

[eluser]daparky[/eluser]
[quote author="skunkbad" date="1326227690"]In my own testing I found that the csrf value would not change from one request to the next, and the same csrf value was being set in the hidden form field and cookie, again and again. This offers no protection as far as I'm concerned. I believe the token needs to be changed with every request. I use my own csrf library, and it changes the token value on every request. Yes, this might be a pain, especially when doing multiple ajax calls, but I feel safer about my applications.

Quote:... (doing hashing etc. of one of them will not work, as the attacker can just get a valid pair from the site directly, and use that pair in the attack) ...
If you've got this problem, then I think you have an authentication problem, and csrf protection is not going to protect you. Proper authentication with an encrypted csrf token that changes with every request should be good enough.[/quote]

I agree with this. How would you go about enabling CSRF regeneration on multiple AJAX requests?
  • El Forum
    Guest
  •  
#3
09-11-2012, 05:11 PM

[eluser]skunkbad[/eluser]
[quote author="daparky" date="1347400396"]I agree with this. How would you go about enabling CSRF regeneration on multiple AJAX requests?[/quote]

Just as you would supply the token when you do your ajax request, the ajax response returns a fresh token, and you simply update the token value in your HTML. It's super easy, but assumes the current ajax response will be received before a new request is made. Community Auth makes use of this in a few places. The user management pagination, and also the custom uploader both use multiple ajax requests.
  • El Forum
    Guest
  •  
#4
09-12-2012, 02:24 AM

[eluser]daparky[/eluser]
[quote author="skunkbad" date="1347408664"][quote author="daparky" date="1347400396"]I agree with this. How would you go about enabling CSRF regeneration on multiple AJAX requests?[/quote]

Just as you would supply the token when you do your ajax request, the ajax response returns a fresh token, and you simply update the token value in your HTML. It's super easy, but assumes the current ajax response will be received before a new request is made. Community Auth makes use of this in a few places. The user management pagination, and also the custom uploader both use multiple ajax requests.[/quote]

Thanks for this. Do you have an example method on how to achieve this. Do you have a method where before the AJAX fires it grabs the token?
  • El Forum
    Guest
  •  
#5
09-12-2012, 09:32 AM

[eluser]skunkbad[/eluser]
[quote author="daparky" date="1347441875"]Thanks for this. Do you have an example method on how to achieve this. Do you have a method where before the AJAX fires it grabs the token?[/quote]

For example, here is the javascript for Community Auth's Auto Populate example:

https://bitbucket.org/skunkbad/community...opulate.js

Notice that both my CSRF library and CodeIgniter's can be used at the same time.

The ajax is making a request, and getting a response from the Auto Populate controller:

https://bitbucket.org/skunkbad/community...pulate.php

Notice on line 117 and 118 where the CSRF tokens are being sent back in the response. One is for my CSRF library, and the other for CodeIgniter's. On line 38 and 39 of the javascript file, you will see where the new tokens are replacing the old ones.




Theme © iAndrew 2016 - Forum software by © MyBB