Welcome Guest, Not a member yet? Register   Sign In
Cross Site Request Forgeries
#1

[eluser]schnoodles[/eluser]
Hello i was wondering if CI has anyway of stopping CSRF ( Cross Site Request Forgeries ) on sites, i know of the method with having a hidden input field on every form you have on your site, but the problem is my site is nearly finished and has ALOT of forms, i kind of dont want to go back and forth rewriting them all.

Does anyone use another way, is there a plugin for CodeIgniter i could use?

How does everyone get around this?
#2

[eluser]axle_foley00[/eluser]
I know CI should do a pretty decent job of handling XSS (Cross Site Scripting) attacks. As for any inbuilt functionality in CI to help prevent CSRF, I dunno, perhaps a dev or one of the more senior community members can speak on that. But in any case as a developer you can look into it yourself as well just to make sure. Below is a link to an article by Chris Shiflett on CSRF. It has an example exploit and how you could go about safeguarding against it. Hope it helps:

Chris Shiflett: Security Corner: Cross-Site Request Forgeries
#3

[eluser]schnoodles[/eluser]
Yes i currently read that which made me very concerned in it, so i did some digging around and i found out that ExpressionEngine has a class to help with CSRF but CodeIgniter doesnt seem to have anything.

So i was wondering if its getting added or if there is no protection. Or for people who do use CodeIgniter if they found of a good way of handling CSRF.
#4

[eluser]axle_foley00[/eluser]
[quote author="schnoodles" date="1192007515"]Yes i currently read that which made me very concerned in it, so i did some digging around and i found out that ExpressionEngine has a class to help with CSRF but CodeIgniter doesnt seem to have anything.

So i was wondering if its getting added or if there is no protection. Or for people who do use CodeIgniter if they found of a good way of handling CSRF.[/quote]

There are no classes/helpers that I know of that deal specifically with CSRF for CI. As for whether or not it's in the works, I'm not sure either. You can check the SVN repository and see, but if it's not there then you could make a post for it as a feature request or look into making your own. Perhaps even port the class used in EE as a CI helper (asking permission first of course).

Terribly sorry I couldn't be of more help. I do hope someone else will be able to better assist with this one.
#5

[eluser]schnoodles[/eluser]
Yeah hopefully someone else might be able to help.

So far the easiest solution i can think of is hacking up a hook to check to see if the tokens are the same, aswell as hacking form_close() to echo a hidden input with the token in it because it closes the form.

Although that is all ugly and there should be alot more cleaner ways then that.
#6

[eluser]Phil Sturgeon[/eluser]
You could do some simple refferer checkinging but im not sure how you could make that an integrated part of the form submitting process. Perhaps some crazy config option for the input class that will ONLY allow your site to show POST values if the reffered began with your site_url()? Undecided
#7

[eluser]Derek Allard[/eluser]
Good news then. Rick's cooking up csrf protection in the development copy of CI. In order for it to work you'll need to be using form_open() from the form helper. You might want to start porting your apps to use it - that's what I'm doing with BambooInvoice, to be forward compatible. EE's had it for a long time, and effectively had it, so we're moving to port it out.

And um... please, please, please don't ask me when to expect it... I don't know. Smile
#8

[eluser]axle_foley00[/eluser]
There you go schnoodles. hehe thanks for letting us know about this Derek.
#9

[eluser]Derek Allard[/eluser]
My pleasure gents.
#10

[eluser]Michael Wales[/eluser]
Quote:Rick’s cooking up csrf protection in the development copy of CI.

Are the changes reflected in the SVN repository? Speaking of which, I'm new to this version control stuff, is CI's repo a nightly build or how often can we expect new work to appear in there? Does it reflect the daily work put into CI 1.5.5, or is it just what is released based on the EllisLabs team?




Theme © iAndrew 2016 - Forum software by © MyBB