Protection against CSRF part 2

Tuesday, 21 August 2007

Continuing from my previous post I have decided to provide demos of a lot of the techniques discussed. These techniques won’t make your site 100% secure but they will help reduce the risk of attack. Remember you need to protect against XSS and these techniques will not stop your site from being attacked with XSS.

I created the following techniques whilst investigating OpenID security and I found many sites do not even employ a form token for site requests. The code is currently being developed but I hope it provides a good base for improving the security of your site.

CSRF Demos

The entry 'Protection against CSRF part 2' was posted on August 21st, 2007 at 9:39 am and is filed under csrf, php, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

3 Responses to “Protection against CSRF part 2”

  1. Gareth Heyes writes:
    No. 1 — August 23rd, 2007 at 11:08 am

    Source code to be released soon, any volunteers to test and improve it before release?

  2. Alexander Waldmann writes:
    No. 2 — August 29th, 2007 at 9:13 am

    Works fine in firefox 2.0.0.6. Looking good overall.

    I guess the javascript token is created inside the server and stored in the user session?

  3. Gareth Heyes writes:
    No. 3 — August 29th, 2007 at 9:25 am

    Hi Alexander

    Yeah the server generates a PHP token based on the same code the client generates using javascript. The source code is available for the Javascript/PHP generation if you want to look how it works

    http://www.thespanner.co.uk/2007/08/15/random-javascript-and-php-generation/

«
»