JSCK

I had a great idea to protect against CSRF, use my random Javascript creation technique! I already knew it was possible to use it in this way but I wanted a nice solution that anyone could incorporate into their site.

PHP first creates a random session key using random code blocks, then Javascript does the same. The code then appends the session key onto every URL and inserts a hidden field in every form. Then when clicking a link or submitting a form the session key is compared by the server to session key provided and then allows or denies the request.

So here it is my Javascript Cross Site Request Forgery Protection Kit or JSCK for short πŸ™‚ :-
JSCK demo

I will be releasing this code as open source once I’ve cleaned it up a bit so everyone can use it because I think it’s a cool idea.

22 Responses to “JSCK”

  1. Michael Gauthier writes:

    Your intentions are good but this is not practical to use. A significant number of web users still have JavaScript turned off and these people can’t use your forms or click on your links.

    Also, your get requests should be non-destructive so CSRF protection doesn’t make much sense for links.

  2. Gareth Heyes writes:

    @Michael

    The Javascript requirement is obvious and I don’t want to debate it but the majority have Javascript switched on.

    Yes true links *should* be non-destructive but many sites employ dangerous links which require CSRF protection.

    I might also add that the final version will work with those who have Javascript switched off. The system will ask for confirmation via a normal form for those instances.

  3. Mike writes:

    “<snip> … but the majority have Javascript switched on.”

    NoScripts popularity is on the rise.

    Anyway, you should at least add a noscript block to tell peeps with JS disabled that they have got to enable it first.

    The most annoying thing ever is a site that assumes the presence of JS and silently fails because it isn’t there leaving the user to guess that they need it.

    And yes, I know it’s just a demo, but where to people look for implementation reference?

    Otherwise nice work.
    πŸ˜€

  4. Gareth Heyes writes:

    Well here’s how the final version will work.

    1. You define a class such as class=”jsck_protect” on links and forms that you want to protect.
    2. The system will use Javascript then revert to a extra confirmation page when you have it switched off.

    So yeah if no Javascript concerns you then it will still be possible to accommodate these users.

  5. Gareth Heyes writes:

    Oppps found a small bug which sometimes made it incompatible with my security filters. I’ve patched it now though. New version will be released soon.

  6. Alex@Net writes:

    Hello,

    Nice work! I cannot imagine a way it could be hacked. noscript tag and CAPTCHA and Referer check of course should be added to this solution.

    Sincerely,
    Alex

  7. Gareth Heyes writes:

    Thanks Alex, yeah I plan to improve the kit to incorporate some of those features. I always release my code early so everyone can have input and improve it.

    I think this will be a cool solution because it allows non-programmers to protect their scripts quite easily. I’m all for open source as well because patents suck big time.

  8. Iehrepus writes:

    hi man
    I think your idea is a great idea,but not new. you can see this forum Name: Discuz!

    Demo : http://www.discuz.net/

    http://www.discuz.net/member.php?action=clearcookies&formhash=5dc7ca28

    formhash is the random key πŸ™‚

  9. Iehrepus writes:

    haha
    A bug in spambam.php?
    http://xx.xx.xx.xx/superhei/apic/wp.jpg

  10. Gareth Heyes writes:

    @Iehrepus

    Oh yes of course tokens aren’t new but the technique of using random js/php and then appending the URL/Form I’ve not seem done before.

    Yep a bug it seems thanks I will fix it. Nice find whoever found it first πŸ™‚

  11. Gareth Heyes writes:

    Patched Spambam for now, I’ve got a old version on my blog and new version of Spambam will be out soon once it’s been beta tested.

  12. Gareth Heyes writes:

    @Iehrepus

    Hey your site looks cool man! Do you have a English translation?

  13. Iehrepus writes:

    THX Gareth Heyes,Sorry my bad English,you can translation by
    http://translate.google.com/translate?u=http%3A%2F%2Fsuperhei.blogbus.com&langpair=zh%7Cen&complete=1&hl=en&newwindow=1&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools

    but it look so…. πŸ™‚

  14. kuza55 writes:

    Its nice, but it would fail where an attacker can add their own link to the page and then entice a user to click on it, e.g. forums & blogs since every link has the same token, and you aren’t doing anything to make sure you do not add the token to external links.

    Furthermore, due to the fact that the same token is used for every URL, no two links can be clicked from the same page without reloading it, which isn’t a very good solution at all IMO.

  15. Gareth Heyes writes:

    Good points Kuza55 I shall consider those when working on the next version thanks.

  16. Iehrepus writes:

    kuza55’s meaning is ‘mstorage and transfer the random key is dangerous’

    so only inserts a hidden field,it will solve this problem?

    And if the site have a xss hole, attacker coulde get the random key,like this:

    xmlhttp.get(Turl+”admincp.php?action=members”,function(s) {
    var reg = /name=\”formhash\” value=\”([\w\d]+)\”>/i;
    var arr=reg.exec(s);
    var formhash=arr[1];

  17. Gareth Heyes writes:

    @Iehrepus

    Oh yeah no doubt they could get the key with XSS but why bother? If they have found XSS then they have complete control anyway.

  18. Sally, translator writes:

    It’s really cool! But it is not so perfect you see. According to the comments.

  19. Anshuk writes:

    Hi Gareth,

    Have you released the code for the JSCK?

    /
    Anhsuk

  20. Gareth Heyes writes:

    Hi Anshuk

    Yes I’ve released the current version however it isn’t final yet as there are still some issues I need to fix. There are a couple of vulnerabilities like multiple urls and external source inclusion.

    I wouldn’t recommend using this version and as soon as I find time I’ll sort it out. If you want to work on the code let me know and I’ll supply you with the current source and provide you with credit if you fix it.

    Thanks

  21. Anshuk writes:

    Hi Gareth,

    Thanks for your quick reply.
    I would definitely like to have a look in the code and try to understand the issues and fix it.
    Can you please send across the source code of the current version and also the released version (which I suppose is not the current one)

    Thanks.

    /
    Anshuk

  22. Surendran writes:

    Hi guys,

    Thanks for your information.

    i am also looking forward to get source code of the current version and the related version.

    Have a great day! πŸ™‚