Форумы / Cotonti / Core Labs / Ideas / General CRSF protection for AJAX GET requests

idea to always include crsf token in GETS

ez
#1 22.08.2012 05:55

I looked at all code.. and I have a universal solution for ALL my ajaxcalls.

I can add the x parameter using something like:

jsMainSettings.xfactor='theXtoken';
$(document).ajaxSend(function(evt, request, settings){
    var x=$.getUrlParameter(settings.url,'x');
    if (!x) { settings.url+='&x='+jsMainSettings.xfactor };
});

This was a small test I made in the console, I have made $.getUrlParameter and I have a global named jsMainSettings where I can put the $sys['xk'] thing in.
I think with this little coding i have covered ALL my ajax requests... :D
This example is not ready yet.. but it is just to show the idea


BIG Question:

There should be a piece in common.php like :

//======== Anti XSS addition =============
if ($_SERVER['REQUEST_METHOD'] == 'GET')
{
	if (empty($x)) {
		$x = sed_import('x', 'G', 'ALP');
	}
	if (!empty($x) && !defined('SED_NO_ANTIXSS') && !defined('SED_AUTH') && $x != $sys['xk'] && (empty($sys['xk_prev']) || $x != $sys['xk_prev'])) {
		sed_redirect(sed_url('message', 'msg=950', '', true));
	}
}
//===================================

where sed_redirect for AJAX - JSON should be something else i think... but you get my point !!

==- I say: Keep it EZ -==
Отредактировано: ez (22.08.2012 06:12, 11 лет назад)
GHengeveld
#2 22.08.2012 07:15

CSRF protection is only necessary for POST requests, not for GET. This however does rely on GET requests to be idempotent. CSRF attacks are only effective when the script actually does something. If you implement your extension correctly, any action that changes something on the server (usually a db record) is performed using a POST request, never a GET.

If you still want to check every GET request for x, use cot_check_xg(). You can achieve this using a plugin that hooks into common.php.

ez
#3 22.08.2012 08:14

I know that strictly speaking only POST should be used for changing data.. However I use GET's regular to alter data in the DB (flags and things like that).


In general : Any request that can change data on the server which can be either GET or POST should have the XSS protection. Developers should be aware of this.


So everybody who uses GETs to alter data should add a protection.

 

nice article for the interested people: http://teamtreehouse.com/blog/the-definitive-guide-to-get-vs-post

==- I say: Keep it EZ -==
Отредактировано: ez (22.08.2012 08:28, 11 лет назад)
GHengeveld
#4 27.08.2012 16:22

Interesting article, thanks. Generally I'm a fan of RESTful interfaces, but more often than not it's easier to deviate from the standard and use GET where POST is expected or use POST where PUT/DELETE would be prefered.