new fashion, new ways (or not)

Some time ago when I posted I Love CSRF (XSRF) fazed invited me to do a presentation on CSRF attack and protection… but since then haven’t heard from it… Anyway I wrote down my presentation and since haven’t been asked to do it recently I thought I’ll write it on my blog…

What will I trim out from my presentation? The CSRF attack methods and leave only the defense methods…

Expiring Cookies/Sessions

If you are using cookies to keep your users logged in on your website then you should give your cookies a faster expiration date, than to keep them living until the browser is closed. Let’s put up as an example the following cookie has been set up

—
setCookie(“auth”, md5(md5($password)), time()+600);
—

This would keep the cookie available for 10 minutes, after which it would expire. But that is not enough, you should put the cookie setting line in every page of your website, so that on every page accessing the cookie will get another 10 minutes of life. Kinda rudimentary but what else can you do if you use cookies?

Expiring sessions are sometimes not controllable by you, only if you host your own website; else not much you can do…

Referer Check

Most of the time you will count on the referer to check if the request came from the desired page, a simple implementation would be the following

—
if($_SERVER["HTTP_REFERER"]!=”http://mywebsite.com/desired.php”) {
    //possible csrf
}
—

As with other variables not controllable by the website, there can be people who deactivate the
referer field so that is not passed to the websites they visit.

Tokens

This may seem one of the favorite weapons against CSRF, and of course it is as easy to implement as the ones before mentioned. Firstly let’s assume that on login the token has been set the following way

—
$_SESSION["token"]=rand();
—

This would be useful when we generate a form

—
<form name=”form” action=”processing.php” method=”post”>
<input type=”hidden” name=”token” value=”<?php md5($_SESSION["token"]); ?>”>
<…>
</form>
—

And now the first thing that we should do on the processing.php page, is to check the token

—
$token = $_POST["token"];

if($token!=md5($_SESSION["token"])) {
    //now this is csrf
    die(“….CSRF!”);
}
—

What next?

You only have to choose a way to protect against CSRF… I would recommend mixing the last to, and set some kind of flags to it… it the referer isn’t ok set a possible CSRF flag; and if the token doesn’t match than flag it as CSRF… But what do I know I only wrote it for a presentation…

*UPDATE*

Server Side Protection

Found this after I finished the article; so if you want some server side CSRF protection check this out -> http://0×000000.com/index.php?i=484