Welcome Guest, Not a member yet? Register   Sign In
CSRF forDisallowedAction Errors in Logs
#1

Hi there,

Throughout our error logs, we are seeing 100s of the below CSRF errors:

CRITICAL - 2022-02-24 19:49:22 --> The action you requested is not allowed.
#0 /home/system/Security/Security.php(289): CodeIgniter\Security\Exceptions\SecurityException::forDisallowedAction()
#1 /home/system/Filters/CSRF.php(53): CodeIgniter\Security\Security->verify(Object(CodeIgniter\HTTP\IncomingRequest))
#2 /home/system/Filters/Filters.php(173): CodeIgniter\Filters\CSRF->before(Object(CodeIgniter\HTTP\IncomingRequest), NULL)
#3 /home/system/CodeIgniter.php(386): CodeIgniter\Filters\Filters->run('controller...', 'before')
#4 /home/system/CodeIgniter.php(320): CodeIgniter\CodeIgniter->handleRequest(NULL, Object(Config\Cache), false)
#5 /home/public/index.php(37): CodeIgniter\CodeIgniter->run()
#6 {main}

It looks like this is the SecurityException being thrown from the Security.php class:

// Do the tokens match?
if (! isset($token, $this->hash) || ! hash_equals($this->hash, $token)) {
throw SecurityException::forDisallowedAction();
}

We have manually tested our forms a number of times, and cannot reproduce the logged errors.  If the tokens do not match then perhaps it's some kind of bot or attack - but in that case, why handle this by hammering the logs with these errors / exceptions?
Reply
#2

I think it is better that logging more about the attack requests and filtering the access before the web server by IP address or something.
Disable logging does nothing to the attacks.
Reply
#3

(02-24-2022, 09:52 PM)kenjis Wrote: I think it is better that logging more about the attack requests and filtering the access before the web server by IP address or something.
Disable logging does nothing to the attacks.

We certainly don't want to disable logging as we find it necessary for bug / error tracking.  Do you know how we can add additional logging for when this error triggers?  For example, how would we add: $this->session->get('ip') whenever this error occurs?  And lastly, can you explain how we would "filter the access before the web server"?
Reply
#4

Hi @kenjis,
We did some more digging, and discovered that the exception errors in the logs are coming from Security -> CSRF.php line 59 for only AJAX requests:
PHP Code:
public function before(RequestInterface $request$arguments null)
    {
        if ($request->isCLI()) {
            return;
        }

        $security Services::security();

        try {
            $security->verify($request);
        } catch (SecurityException $e) {
            if ($security->shouldRedirect() && ! $request->isAJAX()) {
                return redirect()->back()->with('error'$e->getMessage());
            }

            throw $e;
        }
    

Any security request verification that is NOT Ajax is fine, as the system will redirect.   But any Ajax request is causing errors in the log, since this class is throwing an exception.  We don't want to mute all exceptions  in our logs - is there any solution here?
Thank you so much for your guidance.
Reply
#5

It is simple. Just send a valid CSRF token in all Ajax requests.
Because checking CSRF token sent is correct is how CSRF protection works.

See https://codeigniter4.github.io/userguide...html-forms
and https://codeigniter4.github.io/userguide...t-by-users
Reply
#6

We already do submit a valid CSRF token for all Ajax requests as such:

var formData = {
csrfToken: $('input[name="csrf_token"]').val()
};

$.ajax({
type: 'post',
headers: {'X-Requested-With': 'XMLHttpRequest'},
url: '/data/submit',
data: formData,
...

The form works as expected, without csrf errors - unless 1) the user has deleted their csrf cookie (which we can reproduce), or 2) perhaps some other bot activity. Due to #1 and/or #2, we are seeing a significant number of daily csrf errors.
Reply
#7

(This post was last modified: 03-22-2022, 11:12 PM by ignitedcms.)

If it is a bot attack could you implement IP throttling on your forms as mentioned above?
Practical guide to IgnitedCMS - Book coming soon, www.ignitedcms.com
Reply
#8

This is one of the best examples for CSRF that I have seen and it works.

How to Send AJAX request with CSRF token in CodeIgniter 4

Also make sure you do a 
PHP Code:
session_write_close(); 
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#9

(This post was last modified: 03-23-2022, 12:53 AM by ignitedcms.)

Apologies if I understood the question incorrectly, but I think the OP is not having issues implementing CSRF with ajax but rather complaining about the error log as it appears to be indicative of a bot attack. I think this is working as designed, but to add to this, in general, it is a good idea to have IP throttling on any controller/route, either secured or not so as reduce ill-intentioned http requests?
Practical guide to IgnitedCMS - Book coming soon, www.ignitedcms.com
Reply
#10

(This post was last modified: 03-23-2022, 05:16 AM by stresbiz.)

IP throttling is not the issue. We have a throttling solution in place. And our CSRF, and form with ajax is working. We're simply trying to eliminate/mute this particular error for the CSRF exceptions, without turning off exceptions completely in the logs.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB