• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Question]CSRF cookie for ajax

#1
Im actually pretty curious about this and i want to ask what's the best practice for it.

Im building a "live edit table" using codeingiter and i'm using ajax to insert the data. if you check the code on the view source the ajax is always on the bottom to work, an attacker can can use the "view source" to see the name of the cookie and the key. Its ok if it's inside the admin panel but what happens when you must add the ajax it on an outside view and have the cookie regeneration set to false?

I tryed to add the ajax code inside an external file but it seems not working....
Reply

#2
Putting JS in an external file will make no difference as you can just as easily view these as anything else running on your browser.

You have a few approaches here.
You can make the CSRF regenerate on each usage. This is more complex for Ajax as you will have to write the new cookie information somewhere as part of your ajax call.
You can remove the CSRF from the Ajax, and authorise the user in a different way.
You can encrypt the cookie data (if you need to).

You cannot hide the name of the cookie, but the point is the contents of the token is matched to a value kept on the server (files or database) so that only a page generated by the server can submit the form. It is not intended to authorise a user or be used for authentication of roles and permissions etc.

Finally, if it is a concern, you should also run some sort of process to prevent multiple edits within a fixed time period.

Really though, the level of security you need to implement is highly dependent on what exactly the data is doing, who it is for, the consequences of misuse and the whole point of the site/page functionality. For instance, if you are just calculating someones age on Jupiter, then security is not really an issue in terms of misuse compared to if you are letting someone access their account details and editing their orders.

Hope that helps in some way,

Best wishes,

Paul.

PS I would never make something editable without knowing who the user is via login/membership/authorisation processes. In that case, the functionality of CSRF is perfect for ajax, especially if it regenerates on each usage. If you are taking public annonymous input then you have to be much more careful about sanitizing and controlling user input.
Reply

#3
Thanks for the detailed reply Paul, im always using ajax on safe places like admin etc but this time i want to create an live "hotel list" with jquery filters and i need the ajax to pull the data and pass it to jquery on document ready.

I will use your advice and encrypt the key and the name of the token unless you can suggest anything else for that senario.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.