• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CSRF off but posts from any domain are accepted now

#1
HI,

I am a bit lost on the concept of CSRF in codeigniter. I want to post data from domain1 to domain2 (CI ready). To that, I enabled CORS but it fails. I turned of CSRF and it works without any CORS header directives. That means, CSRF off leads to data been posted from any, any website.

Is that supposed to happen? Or it is my envrionment because I have localhost/domain1 to localhost/domain2
Reply

#2
With CSRF off (and I do not think it supports a CORS override of any sort as that would be contrary to the point of it) any website can post to your website urls. That is true.

You would have to implement your own validation for incoming posts that validated the source as part of the request (a domain or user key of some description). That key would be validated against the incoming domain name and allowed to action or not.

Using CORS, you would be able to determine if the posting domain is allowed or not, by checking the domain and posting responses back to the requesting domain. For sensitive usage you would perhaps want further validation before proceeding of course.

So yes, that is supposed to happen.

(Am no expert in this but is just my opinion on your question). I hope that helps,

Paul.
Reply

#3
(07-11-2016, 05:42 AM)PaulD Wrote: With CSRF off (and I do not think it supports a CORS override of any sort as that would be contrary to the point of it) any website can post to your website urls. That is true.

You would have to implement your own validation for incoming posts that validated the source as part of the request (a domain or user key of some description). That key would be validated against the incoming domain name and allowed to action or not.

Using CORS, you would be able to determine if the posting domain is allowed or not, by checking the domain and posting responses back to the requesting domain. For sensitive usage you would perhaps want further validation before proceeding of course.

So yes, that is supposed to happen.

(Am no expert in this but is just my opinion on your question). I hope that helps,

Paul.

Hey Paul,

Thanks for the assurance. So, where would I reject incoming calls from say other domains? I already have api and data check ups in place even after a domain gets it but it would help to reject beforehand and eliminate the unnecessary checks. I tried hooks with pre_system but still the post even is called.
Reply

#4
I don't have much experience with pre-system hooks but either there, or in pre-controller would do it.

All you would have to do is collect the API Key from the incoming request, validate it, and return an error 401 access denied if authentication failed. The controller would never actually be called in this case.

However, perhaps someone with more direct experience of doing this will be able to help further with this.

How you generate the API key and validate it is another story altogether of course.

Sorry not to be much help,

Paul.
Reply

#5
One option would be to extend the Security class to use a custom csrf_verify() method. In that case you could use custom code to verify your special case and use the existing code to handle all other cases (e.g. return parent::csrf_verify(); when the requirements for your custom code aren't met). Then you could keep CSRF enabled, but allow requests between your domains when you can determine that they are valid.
Reply

#6
Use $_SERVER['HTTP_REFERER'] to get referrer URL, then extract their host using parse_url($_SERVER['HTTP_REFERER'] ,PHP_URL_HOST); Lastly, compare referrer URL from parse_url() result with your URL whitelist. Don't forgot to send appropriated HTTP response headers.

Parse_url() http://php.net/manual/en/function.parse-url.php
$_SERVER http://php.net/manual/en/reserved.variables.server.php
Keep calm.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme ¬© 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.