General CRSF protection for AJAX GET requests

idea to always include crsf token in GETS

ez	#1 2012-08-22 05:55
Contributors Bedankt: 10 tijden	I looked at all code.. and I have a universal solution for ALL my ajaxcalls. I can add the x parameter using something like: jsMainSettings.xfactor='theXtoken'; $(document).ajaxSend(function(evt, request, settings){ var x=$.getUrlParameter(settings.url,'x'); if (!x) { settings.url+='&x='+jsMainSettings.xfactor }; }); This was a small test I made in the console, I have made $.getUrlParameter and I have a global named jsMainSettings where I can put the $sys['xk'] thing in. I think with this little coding i have covered ALL my ajax requests... :D This example is not ready yet.. but it is just to show the idea BIG Question: There should be a piece in common.php like : //======== Anti XSS addition ============= if ($_SERVER['REQUEST_METHOD'] == 'GET') { if (empty($x)) { $x = sed_import('x', 'G', 'ALP'); } if (!empty($x) && !defined('SED_NO_ANTIXSS') && !defined('SED_AUTH') && $x != $sys['xk'] && (empty($sys['xk_prev']) \|\| $x != $sys['xk_prev'])) { sed_redirect(sed_url('message', 'msg=950', '', true)); } } //=================================== where sed_redirect for AJAX - JSON should be something else i think... but you get my point !! ==- I say: Keep it EZ -==
Dit bericht is bewerkt door ez (2012-08-22 06:12, 12 jaren ago)

#1 2012-08-22 05:55

I looked at all code.. and I have a universal solution for ALL my ajaxcalls.

I can add the x parameter using something like:

jsMainSettings.xfactor='theXtoken';
$(document).ajaxSend(function(evt, request, settings){
    var x=$.getUrlParameter(settings.url,'x');
    if (!x) { settings.url+='&x='+jsMainSettings.xfactor };
});

This was a small test I made in the console, I have made $.getUrlParameter and I have a global named jsMainSettings where I can put the $sys['xk'] thing in.
I think with this little coding i have covered ALL my ajax requests... :D
This example is not ready yet.. but it is just to show the idea

BIG Question:

There should be a piece in common.php like :

//======== Anti XSS addition =============
if ($_SERVER['REQUEST_METHOD'] == 'GET')
{
	if (empty($x)) {
		$x = sed_import('x', 'G', 'ALP');
	}
	if (!empty($x) && !defined('SED_NO_ANTIXSS') && !defined('SED_AUTH') && $x != $sys['xk'] && (empty($sys['xk_prev']) || $x != $sys['xk_prev'])) {
		sed_redirect(sed_url('message', 'msg=950', '', true));
	}
}
//===================================

where sed_redirect for AJAX - JSON should be something else i think... but you get my point !!

==- I say: Keep it EZ -==

Dit bericht is bewerkt door ez (2012-08-22 06:12, 12 jaren ago)

GHengeveld	#2 2012-08-22 07:15
Team Bedankt: 52 tijden	CSRF protection is only necessary for POST requests, not for GET. This however does rely on GET requests to be idempotent. CSRF attacks are only effective when the script actually does something. If you implement your extension correctly, any action that changes something on the server (usually a db record) is performed using a POST request, never a GET. If you still want to check every GET request for x, use cot_check_xg(). You can achieve this using a plugin that hooks into common.php.

GHengeveld

#2 2012-08-22 07:15

Team
Bedankt: 52 tijden

CSRF protection is only necessary for POST requests, not for GET. This however does rely on GET requests to be idempotent. CSRF attacks are only effective when the script actually does something. If you implement your extension correctly, any action that changes something on the server (usually a db record) is performed using a POST request, never a GET.

If you still want to check every GET request for x, use cot_check_xg(). You can achieve this using a plugin that hooks into common.php.

ez	#3 2012-08-22 08:14
Contributors Bedankt: 10 tijden	I know that strictly speaking only POST should be used for changing data.. However I use GET's regular to alter data in the DB (flags and things like that). In general : Any request that can change data on the server which can be either GET or POST should have the XSS protection. Developers should be aware of this. So everybody who uses GETs to alter data should add a protection. nice article for the interested people: http://teamtreehouse.com/blog/the-definitive-guide-to-get-vs-post ==- I say: Keep it EZ -==
Dit bericht is bewerkt door ez (2012-08-22 08:28, 12 jaren ago)

#3 2012-08-22 08:14

Contributors
Bedankt: 10 tijden

I know that strictly speaking only POST should be used for changing data.. However I use GET's regular to alter data in the DB (flags and things like that).

In general : Any request that can change data on the server which can be either GET or POST should have the XSS protection. Developers should be aware of this.

So everybody who uses GETs to alter data should add a protection.

nice article for the interested people: http://teamtreehouse.com/blog/the-definitive-guide-to-get-vs-post

==- I say: Keep it EZ -==

Dit bericht is bewerkt door ez (2012-08-22 08:28, 12 jaren ago)

GHengeveld	#4 2012-08-27 16:22
Team Bedankt: 52 tijden	Interesting article, thanks. Generally I'm a fan of RESTful interfaces, but more often than not it's easier to deviate from the standard and use GET where POST is expected or use POST where PUT/DELETE would be prefered.