Foren

  1. Startseite
  2. Portal
  3. CSRF prevention mechanism in form submit

CSRF prevention mechanism in form submit

thumbnail
Akash Jaisawal, geändert vor 6 Jahren.

CSRF prevention mechanism in form submit

Regular Member Beiträge: 141 Beitrittsdatum: 03.03.12 Neueste Beiträge
Hi,

I have a form which is getting submitted with processAction. I want to apply CSRF prevention mechanism. Regarding the same i have few quesitons.

1. Do we need to apply CSRF prevention mechanism for processAction or not.
2. If not how would i know that Liferay by default add 'p_auth' key with the url, how can i check that?

Regards
Akash K Jaiswal
nazim zmirli, geändert vor 5 Jahren.

RE: CSRF prevention mechanism in form submit

New Member Beiträge: 7 Beitrittsdatum: 26.03.18 Neueste Beiträge

I'm surely missing something in the picture of how CSRF attacks and protections are working. My understanding in a form-submit scenery is the protection rely on a unpredictable token, someway is assumed the attacker can't get the token, why? If the attacker is good enough to make me submit a form (as mentioned by OWASP) what would prevent him from getting the token before submitting? There's a limit on javascript size/syntax that can be injected or is just the assumption I'm using a modern browser with Same-Origin Policy, what am I not seeing?

[url redacted]

thumbnail
Christoph Rabel, geändert vor 5 Jahren.

RE: CSRF prevention mechanism in form submit

Liferay Legend Beiträge: 1554 Beitrittsdatum: 24.09.09 Neueste Beiträge

CSRF protection works differently. Let's say, I craft a URL that adds an admin user for me on site mysite:

https://mysite/create_admin_url/

 

Then I sent it to the admin of mysite with reasonable text: "Please look at my comment ...". He clicks on the url and voila -> Admin created!

 

CSRF prevents an attacker from doing that, he could maybe create a malicious URL or form and trick an admin to click on it. But for some attacker somewhere it is impossible to find out what the CSRF token of the current session of the admin user is.

The token doesn't protect against e.g. injected javascript. It only protects against "tricks from the outside".