CSRF – Cross Site Request Forgery
“Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user’s context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the target’s browser without knowledge of the target user, at least until the unauthorised function has been committed.”
from OWASP WIKI
I did my Google Summer of Code in 2014 with OWASP Foundation on CSRF Protector Project, which introduced an easy way to mitigate CSRF in web application. Its based on a research paper “A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications” (View) by Riccardo Pelizzi and R Sekar . The project was implemented in two part:
- Standalone PHP library: its a easy to use library in php. How to use it can be summarised as: (View of Github)
- Download the library!
- Configure it, by simply modifying the config file.
- In your code include the library: include __DIR__ .’/path/to/library/file’ ;
- Call the init method: csrfprotector::init();
- Apache 2.2.x module: If you are a server administrator and wish to mitigate CSRF w/o changing a single line of code, simply install this apache module and you are good to go! (View of Github).
Validation: when a request is recieved, it goes through the input filter of the library and there the token sent in the payload is compared with one stored in the session variable. If successfully matched, all tokens older to that are removed from server and new token is generated. If the validation fails, one of the few actions specified (it can be changed in the config file) is taken and the event is logged.
Conclusion is, its pretty easy to use: Download, Configure, Include, Smile!
I recently implemented a lighter version of the library. and its used by todofy, . it brings certain performance improvement over the original once, but is comparatively difficult to implement. Its available on Github at: todofy/CSRF-Protector-PHP-LITE
- OWASP Wiki on CSRF Protector: https://www.owasp.org/index.php/CSRFProtector_Project
- Github: CSRF Protector PHP: https://github.com/mebjas/CSRF-Protector-PHP/
- Github: mod_csrfprotector: http://github.com/mebjas/mod_csrfprotector
- Research Paper: A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications
- CSRF Protector PHP Lite by todofy – https://github.com/todofy/CSRF-Protector-PHP-LITE