• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Static CSRF

#1
Lightbulb 
Hello there!

I was having some issues with ajax and go forward/back in history and CSRF token.

So someone said to me "well maybe you csrf_regenerate to FALSE, you don't need always a new token".

My question here is: is this secure? It wont allow someone to send a javascript to my client with a loop doing something like this:

www.mywebsite.com/admin/states/delete/?id=1
www.mywebsite.com/admin/states/delete/?id=2
www.mywebsite.com/admin/states/delete/?id=3
www.mywebsite.com/admin/states/delete/?id=4

Another thing, my website won't log you out untill you ask for, so my $config['csrf_expire'] is 77760000;

Anyone can help me with this one?
Reply

#2
If you have a token that is static for the entire session, then yes, a compromised CSRF token can be used again and again by the attacker.

Quote:My question here is: is this secure?
No, it most certainly is not. A bit more secure than having no CSRF, but not much, and is a poor implementation.

It is unwise to not regenerate the token. But I suppose in less mission critical places like submitting a contact form or other such simple thing, you could do this. But in anything but the most simple application, setting regenerate to FALSE is a bad idea.

Eg: Quick google for this: https://haiderm.com/10-methods-to-bypass...gery-csrf/ see exploiting poor implementation.

Best wishes,

Paul
Reply

#3
(11-25-2017, 09:24 AM)PaulD Wrote: But I suppose in less mission critical places like submitting a contact form or other such simple thing, you could do this.

And welcome the spam bots with that. Smile

Unless you put a CAPTCHA in there, which you should ... and it's a form of CSRF protection.
Reply

#4
Yes, I would not do it now, but have in the past. I really hate those contact form bots. Having said that, I would never turn regenerate off in the first place of course.

If people far more advanced and experienced than me have gone to a lot of trouble to give me security tools, the least I can do is use them!

Paul.
Reply

#5
Ok, thank you guys!
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.