1 Topic by mrse0

  • Registered: 2006-06-27
  • Posts: 17

Topic: extension dev: xsrf/csrf

Hi

I'm working on an extension that takes user input and I want to make sure it is safe from XSRF/CSRF attacks. I understand punbb has its own methods to secure it from such attacks, is there any way I might use these or should I implement my own?

2 Reply by hcs

  • hcs
  • hcs
  • Administrator
  • Offline
  • Registered: 2006-02-16
  • Posts: 219

Re: extension dev: xsrf/csrf

You need to add a hidden field in the form of:

<input type="hidden" name="csrf_token" value="<?php generate_form_token(_your_url_identical_with_form_action_) ?>" />

Verification token will do the forum.
For example, look at viewtopic.php after 618 line

hcs's Website

3 Reply by mrse0 (edited by mrse0 2012-01-14 16:24)

  • Registered: 2006-06-27
  • Posts: 17

Re: extension dev: xsrf/csrf

So this is actually for some AJAX GETs, is the theory the same?

(thanks for the response)

4 Reply by hcs

  • hcs
  • hcs
  • Administrator
  • Offline
  • Registered: 2006-02-16
  • Posts: 219

Re: extension dev: xsrf/csrf

This only for POST requests.
For GET request you need add token to get-string:

http://my.site/misc.php?csrf_token=<?php generate_form_token(_my_string_) ?>

And check $_GET['csrf_token'] manually:

if ($_GET['csrf_token'] != generate_form_token(_my_string_))
{
 die('error');
}

hcs's Website

5 Reply by mrse0

  • Registered: 2006-06-27
  • Posts: 17

Re: extension dev: xsrf/csrf

gotcha, thanks!