 | News Feed |
 | Jobs Feed |
Sections
|
| feed this: |  |
PHPMaster.com: Preventing Cross-Site Request Forgeries
by Chris Cornutt September 28, 2011 @ 10:12:11
SitePoint' PHPMaster.com has a new tutorial posted today from Martin Psinas about some tactics to prevent cross-site request forgeries from happening in your PHP application. The article introduces key concepts of CSRF and how you can keep it from happening in your code.
Cross-site request forgery (CSRF) is a common and serious exploit where a user is tricked into performing an action he didn't explicitly intend to do. This can happen when, for example, the user is logged in to one of his favorite websites and proceeds to click a seemingly harmless link. In the background, his profile information is silently updated with an attacker's e-mail address. [...] Any action that a user is allowed to perform while logged in to a website, an attacker can perform on his/her behalf, whether it's updating a profile, adding items to a shopping cart, posting messages on a forum, or practically anything else.
He shows it to you "in action" with a PHP script for a basic login page that takes a username and password, does some filtering and sets the username to the session. Their "harmless.html" file offers a link to the site's "process" page with a logout action that would allow the "harmless" file access to the current session if clicked. To prevent this from happening, they suggest a unique token be included in interactions on your site. This key is checked against a token in the current session (or other location) and is only valid if they match.
The Symfony framework has included this as a part of their forms for a while now and includes automatic handling to check its validity. Solutions also exist for other frameworks like Zend Framework and many others.
voice your opinion now!
csrf crosssiterequestforgeries crosssite security token
Michael Nitschinger's Blog: Securing Lithium Forms
by Chris Cornutt June 08, 2011 @ 12:03:23
Michael Nitschinger has a new post to his blog today showing how you can secure the forms in Lithium using the handy CSRF token implemented directly in the framework.
CSRF (Cross-Site-Request-Forgery) attacks work by sending arbitary (form) requests from a victim. Normally, the receiving site (in our case the Controller who processes the form data) doesn't know where the data comes from. The CSRF protection in Lithium aims to solve this problem in an elegant and secure way. You can read more about those attacks here. Note that you'll need to clone the latest master branch of Lithium if you want to try it out now.
There's two parts to the protection, one on either side of things - a field in the form output and a check in the controller to see if the submitted value is correct. He includes code for a simple form (a title field and submit button) that lazy loads the Security helper and generates the token for you. He walks through the controller side of things a line at a time and includes a sample logging/forwarding bit in the second example to redirect users when the CSRF check doesn't pass.
voice your opinion now!
secure lithium framework form csrf security
Paul Reinheimer's Blog: Stop Messing up CSRF Protection
by Chris Cornutt November 10, 2008 @ 08:47:53
In his latest post Paul Reinheimer looks at cross-site request forgeries and, despite the best efforts of the PHP security community, how developers still just miss the point in protecting their own code.
So, cross site request forgeries are a pretty common topic these days; they're in almost every security talk, book, site etc. This is okay; they're important [...] Most of the sites, and all of the books I've read demonstrate things correctly, but when it comes to actual implementation, time and time again, I see code that's just wrong.
He looks at two of the "essentials" when it comes to protecting you and your application - comparison (not taking other values of variables into account) and the unpredictable token (not making tokens, like md5 hashes of information, random enough).
voice your opinion now!
crosssite request forgery csrf comparison unpredictable token random
Jani Hartikainen's Blog: How to CSRF protect all your forms
by Chris Cornutt October 16, 2008 @ 12:07:26
Jani Hartikainen has posted a few ideas on cross site request forgeries in a new blog entry, including some methods to help prevent it in your application.
CSRF, or Cross-Site Request Forgery, is a vulnerability very common in websites. [...] This can be dangerous, especially if your admin interface is compromised: There may be a button on the other site which goes to your admin interface and deletes the latest blogpost for example - and you wouldn't want that!
His method is a three-step process for protection - use POST, protect against cross-site scripting and use a CSRF key in the form to help prevent abuse. A simple script is included to show it working and is adapted to work in a controller plugin for the Zend Framework.
voice your opinion now!
csrf crosssite request forgery xss scripting form protect
Symfony Blog: Security must be taken seriously
by Chris Cornutt October 03, 2008 @ 08:49:25
On the symfony blog Fabien Potencier encourages all symfony developers that the security of your application must be taken seriously and that, despite the built-in protection the framework offers, there still could be issues.
The symfony framework has always provided the tools needed by the developers to secure their applications. With the new form framework, we have added an automatic protection against CSRF. Speaking of the form framework, we have also added a lot of security features to protect you against all sort of injections.
He does include an example, though, of a situation where it's not just about protecting from cross-site scripting or attacks. It's about checking user input to ensure it's what it should be. They give the example of a user pushing an "is_admin" value into a form posting where there wasn't one and updating the right column to give them admin rights.
He mentions some work the Rails team has tried to do to prevent this sort of thing automatically, but Fabian points out what the symfony framework already does - prevent any injected fields other than what's in the forms from being submitted and included.
voice your opinion now!
symfony form user input security xss csrf
Templora.com: Basic PHP Script Security
by Chris Cornutt December 28, 2006 @ 15:49:05
As mentioned on Digg, there's a very simple guide to securing your PHP applications - or at least taking steps towards that.
For the purpose of this tutorial we have listed some commonly known attacks, and how to protect against them. This is crucial for beginners in PHP because PHP tutorials and basic documentation does not accentuate this problem enough. Examples are given that are vulnerable to attacks, and students are either not aware of the vulnerabilities, or are not adequately educated how to protect their scripts.
They topics they look at are SQL injections, XSS attacks, CSRF attacks, and PHP variable insertion. They talk talk about one of the best things you can do to help secure your site and its data - input filtering.
If you've been paying attention at all to the buzz in the PHP community lately, you'll know that articles like this are nothing new. These are the same things other developers are commenting on as well. It is good to see it get more exposure via digg though...
voice your opinion now!
basic security xss csrf attack injection sql input filter basic security xss csrf attack injection sql input filter
|
Community Events
Don't see your event here? Let us know!
|