Protection against CSRF attacks

Wikipedia: "Cross-site request forgery (also known as CSRF or XSRF) is a method of a malicious website attack, often confused (partly because of the simultaneous use of both methods)  for cross-site scripting (XSS), or considered its subset. The users who fall prey to CSRF unknowingly transmit forged requests  to the server. In contrast to XSS attacks, CSRF attacks are not directed at  the  websites and do not necessarily change their content. In this case the hacker's aim is to use the permissions to execute an operation, which would otherwise require the victim's authorization."

Features

Wikipedia: "The aim of the attack is to trick a logged user into clicking a link, which will allow the hacker to execute an inaccessible action for him. For example, being permanently logged into a CRM system a user might at some point open a forged link, which could change the user's contact information or even delete some data from the CRM system. A picture, whose address was properly prepared by the hacker can also serve as a link, and the consequences of opening it could be much more serious. The following features characterize a  CSRF attack:
  • It concerns a service that requires login, or is restricted in any other way, eg. accessible from the internal network or only a specific IP address pool. 
  • It exploits the site's trust in user's identity.
  • It tricks the browser into sending a HTTP request to the service.
  • It concerns a request that changes the user's account balance or performs financial operations on his behalf."

Prevention

The YetiForce system has a built-in CSRF attack defense mechanism. A regular user will only have to deal with the system in case of typing an incorrect address into the CRM system or opening a link (eg. from an e-mail message) at a different address than the CRM system while being logged into the system. It is crucial to remember a few things in order not to bug the CSRF system:
  1. The system's security only works when the user is logged into the system. In case the user is not logged he receives the login request and no unwanted data is injected.
  2. The user should always use the WWW address,  defined by the  config/config.inc.php file (set automatically during the system installation) to log in. It is important for the CSRF security whether or not the address includes "www"; "https" or just "http"; or if there are any additional characters at the end, for example "/" or  "/ pl"  and so on.
  3. The system allows the user to login from only one address by default.

Tips & tricks

 If you want to allow the users to log in from different domains (eg. LAN - address A, and an external network - address B) the best solution would be to do it at the DNS level or in the server's local area. You should redirect the users from address  B to address A.
  • Friday, 11 August 2017