1. Inici
  2. Portal
  3. CSRF prevention mechanism in form submit

CSRF prevention mechanism in form submit

thumbnail
Akash Jaisawal, modificat fa 8 anys.
CSRF prevention mechanism in form submit
Regular Member Apunts: 141 Data d'incorporació: 03/03/12 Publicacions recents
Hi,

I have a form which is getting submitted with processAction. I want to apply CSRF prevention mechanism. Regarding the same i have few quesitons.

1. Do we need to apply CSRF prevention mechanism for processAction or not.
2. If not how would i know that Liferay by default add 'p_auth' key with the url, how can i check that?

Regards
Akash K Jaiswal
Amos Fong, modificat fa 7 anys.
RE: CSRF prevention mechanism in form submit
New Member Apunts: 7 Data d'incorporació: 26/03/18 Publicacions recents

I'm surely missing something in the picture of how CSRF attacks and protections are working. My understanding in a form-submit scenery is the protection rely on a unpredictable token, someway is assumed the attacker can't get the token, why? If the attacker is good enough to make me submit a form (as mentioned by OWASP) what would prevent him from getting the token before submitting? There's a limit on javascript size/syntax that can be injected or is just the assumption I'm using a modern browser with Same-Origin Policy, what am I not seeing?

[url redacted]

thumbnail
Christoph Rabel, modificat fa 7 anys.
RE: CSRF prevention mechanism in form submit
Liferay Legend Apunts: 1555 Data d'incorporació: 24/09/09 Publicacions recents

CSRF protection works differently. Let's say, I craft a URL that adds an admin user for me on site mysite:

https://mysite/create_admin_url/

 

Then I sent it to the admin of mysite with reasonable text: "Please look at my comment ...". He clicks on the url and voila -> Admin created!

 

CSRF prevents an attacker from doing that, he could maybe create a malicious URL or form and trick an admin to click on it. But for some attacker somewhere it is impossible to find out what the CSRF token of the current session of the admin user is.

The token doesn't protect against e.g. injected javascript. It only protects against "tricks from the outside".