How to Prevent Cross-Site Request Forgery Attack?

Question

We ran Burp Suite on our product and found some security vulnerabilities. The tool detected some of the CGI files which are vulnerable to Cross-Site Request Forgery attacks (CSRF).

As usual I did search for CSRF protection module on CPAN and found CGI::Application::Plugin::ProtectCSRF.

I'm wondering how can I integrate this module into our application in a generalized way? The documentation is not clear to me. How do I configure this module and make minimal changes to make sure whole application is secured from CSRF.

I also came across mod_csrf (an Apache module to prevent CSRF). Is installing this module and setting below in apache configuration file enough to prevent CSRF?

<VirtualHost>

    CSRF_Enable on
    CSRF_Action deny
    CSRF_EnableReferer off

</VirtualHost>

You need to make sure that any Ajax requests also include the csrf parameter. — xxfelixxx, Sep 01 '16 at 09:52
@xxfelixxx: mod_csrf does that. C::A::P::ProtectCSRF doesn't mention it. — Chankey Pathak, Sep 01 '16 at 09:54

score 3 · Answer 1 · edited Jun 20 '20 at 09:12

I can understand that you found the documentation for CGI::Application::Plugin::ProtectCSRF unclear: it is a little impregnable

All that the Perl module appears to do is to add a hidden field to each HTML form with the name _csrf_id and a random value derived from various sources and encoded through SHA1. The protection comes when the response from the client requires that the same value must be returned to the server

It is quite nicely coded, but it uses custom subroutine attributes, and the documentation for the attributes pragma says this

WARNING: the mechanisms described here are still experimental. Do not rely on the current implementation

I cannot tell from my quick review whether the subroutine prototypes are essential to the module, but I recommend that you use the Apache mod_csrf module instead, which is likely to be more thoroughly tested than the Perl module, and has proper documentation

score 0 · Accepted Answer · answered Sep 09 '16 at 12:19

Since we were using in house server, not apache, therefore, mod_csrf was not possible to implement.

I ditched ProtectCSRF module as the documentation was unclear.

I solved it by doing below:

Add an element in header template which is common to all pages, this element contains CSRF token which is being passed from server
Create a JavaScript function and bind it to onload event. This JS function does below tasks:

a) Find forms in current page

b) If forms are found then create a hidden "input" element and append it to each form

c) Take the value which was put in header and assign it to above created elements

d) Now all forms have a hidden input element which contains CSRF token from point 1
Now whenever a form gets submitted this hidden element will also be submitted, whose value we are verifying at server end. If tokens do not match then there is CSRF, for which we throw the error and block request

How to Prevent Cross-Site Request Forgery Attack?

2 Answers2