NetTalk Central

Author Topic: Cross site request forgery (CSRF) Protection  (Read 4121 times)

Matthew51

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Cross site request forgery (CSRF) Protection
« on: April 19, 2017, 01:39:50 PM »
I`m taking a security pass over my site and wondering if nettalk has any CSRF built in, and if so what does it use?

For anyone wanting more info this is a good video on CSRF https://youtu.be/hW2ONyxAySY

Thanks
Matthew
Contractor with 10+ years of NetTalk experience looking for work.
www.linkedin.com/in/matthew-leavitt
BisWare.ca
Check out my free EasyTime Template

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Cross site request forgery (CSRF) Protection
« Reply #1 on: April 20, 2017, 11:57:22 PM »
Hi Matthew,

>> wondering if NetTalk has any CSRF built in, and if so what does it use?

There are some mitigations, yes.

a) all cookies are marked as HTTP only - this means they cannot be read by JavaScript. Also all cookies on SSL connections are marked SECURE, meaning they cannot be used over insecure connections. ( these are somewhat tangential to your CSRF question, but they come into play.)

b) All forms contain a "FormState" value. Without a valid FormState the POST to submit the form will not work. The FormState is tied to the session, and is generated uniquely when the Form is generated.

Therefore a simple POST as described by Troy will not work. NetTalk forms don't just work with a POST.

So, in order for an attack like this to work, at the very least the code would need to include some JavaScript which first fetched the form, and then parsed out the Formstate, and then pushed an answer. But then Same Origin Policy comes into play, and should prevent that. (I've added a template option in 9.27 to make that easier to set.)

That said Troy raises an interesting point about API's. API's work differently to Forms, and I'd need to think a bit about what's involved with regard to API's and preventing API attacks of this nature...

Cheers
Bruce





« Last Edit: April 20, 2017, 11:59:23 PM by Bruce »

Matthew51

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Re: Cross site request forgery (CSRF) Protection
« Reply #2 on: April 21, 2017, 02:10:47 PM »
Exactly what I was looking for, thank you.
Contractor with 10+ years of NetTalk experience looking for work.
www.linkedin.com/in/matthew-leavitt
BisWare.ca
Check out my free EasyTime Template