JSCK demo update

I believe in releasing code as early as possible and often. So I’ve released another version of JSCK, the code isn’t a complete solution at the moment and is more of a proof of concept rather than a final version you can use on live sites but it highlights the method well and should provide good security against CSRF attacks.

Thanks to everyone who provided feedback in particular Alex AKA kuza55, he raised some very good points and highlighted potential problems.

New features

1. 15 minute expiry dates on all tokens.
2. Multiple tokens can be used at once.
3. I’ve added support for assigning a class to a link and form to enable/disable the token protection.
4. The system can now calls the code from a external file which makes the code cleaner.

Bugs/Outstanding

1. The random code generation sometimes produces a invalid key. (Should be fixed now)
2. Disabled Javascript support needs to be added.
3. Doesn’t work in Safari (yet).
4. Only tested working in Firefox.
5. Referrer checking.
6. JQuery plugin.
7. Fix IE
8. Rewrite JS into DOM code.
9. Source cleanup and final release.

Source code

I was going to wait until I had completed the final version but to help those of you requesting the files with WGET, I’ve decided to release it early :) Please do not use this code on a live web server, the kit is currently in beta and shouldn’t be considered live code.

JSCK Source code

New JSCK demo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon

Comments 10

  1. Gareth Heyes wrote:

    Looks like I release code a little too early, damn the tokens aren’t working correctly on my server.

    Posted 22 Oct 2007 at 11:12 am
  2. Alex@Net wrote:

    Hello,

    Do you have in a plan to write a something like a jQuery plugin for this functionality? If would be great to just $(’myForm’).protect();

    Thanks,
    Alex

    Posted 22 Oct 2007 at 11:36 am
  3. Gareth Heyes wrote:

    Good idea Alex, I shall consider doing that when I’ve fixed the bugs and released the final version.

    Posted 22 Oct 2007 at 11:42 am
  4. Gareth Heyes wrote:

    *fixed*

    It now seems to work correctly on my server.

    Posted 22 Oct 2007 at 12:21 pm
  5. Marco Ramilli wrote:

    Sure! It work correctly on my server too.
    @Alex && @Gareth
    the jQuery pulgin could be a big deal, really good idea.

    Posted 22 Oct 2007 at 4:31 pm
  6. sky wrote:

    yeah,THE ie IS NOT TESTED,JS HAS ERROR!

    Posted 23 Oct 2007 at 3:05 am
  7. Gareth Heyes wrote:

    Thanks Sky I will fix the error

    Posted 23 Oct 2007 at 7:27 am
  8. Bill Zeller wrote:

    Hi,

    This doesn’t seem to protect against CSRF attacks, since any website (including an attacker’s site), can include the Javascript file that will add a correct token to the links on the page. For example, the following page illustrates a successful CSRF attack against your demo:
    http://www.from.bz/test/jsck.php

    The page includes the jsck Javascript file and then adds the following Javascript:

    var oldOnload = window.onload;
    window.onload = function()
    {
    oldOnload();
    window.location = document.links[0].href;

    }

    Best Regards,
    Bill Zeller

    Posted 28 Oct 2007 at 5:55 am
  9. Gareth Heyes wrote:

    Bill excellent POC! Very clever, I completely missed that sort of attack :)

    Posted 28 Oct 2007 at 10:47 am
  10. Gareth Heyes wrote:

    I’ve patched it now, your POC should no longer work.

    Posted 28 Oct 2007 at 10:59 am

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam