#11 Update 'save'/'delete' actions to prevent CSRF

2.0
closed-fixed
nobody
Sessions (3)
7
2008-08-14
2008-08-06
Adam Franco
No

For various save, delete, move, and other actions that have data-writing consequences should be reworked to require a unique token for the user's session id so that someone emailing them a link to something like the 'delete-site' action won't cause them to accidentally delete their site.

This can likely be implemented as an add-on to the RequestContext mechanism so that these data-writing actions just have to call a single method to validate the token and do not need additional logic.

-------------------------

Testing For CSRF (YES – Severe)

Summary

Cross-Site Request Forgery (CSRF) is about forcing an end user to execute unwanted actions on a web
application in which he/she is currently authenticated. With little help of social engineering (like sending
a link via email/chat), an attacker may force the users of a web application to execute actions of the
attackers choosing. A successful CSRF exploit can compromise end user data and operation in case of
normal user. If the targeted end user is the administrator account, this can compromise the entire web
application.

Notes

It is possible for an attacker to construct malicious script which would create another administrative user.
Rapid7 recommends that Middlebury College review the code for performing administrative tasks, such
as creating of new users. A unique token ID specific to a user’s session should be required of all
application URI within the Segue2 application.

References

http://www.owasp.org/index.php/Testing_for_CSRF

Found in Rapid7 security audit.

Discussion

  • Adam Franco

    Adam Franco - 2008-08-14

    Logged In: YES
    user_id=789554
    Originator: YES

    Fixed in Harmoni-1.6.0/Segue-2.0-rc-2.

    Actions that involve data modification can now be configured to require per-user tokens in the request to prevent Cross-Site Request Forgeries.

    Actions can be added to the list by using
    $harmoni->ActionHandler->addRequestTokenRequiredActions().

    Once a module/action pair is added to the list, all URLs written to it will include the per-user token and that token will be checked before the action is allowed to execute.

    Other actions that just involve viewing data do not require these tokens and will not have them placed in their URLs to allow users to copy/paste from the address bar for view-actions.

     
  • Adam Franco

    Adam Franco - 2008-08-14
    • status: open --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks