Make your plugins more secure with anti CSRF functions

In Osclass 3.1 we included some anti-csrf functions. What is CSRF? Wikipedia has a good explanation about Cross-site request forgery (CSRF). You probably have seen it in some videos or images shared on social networks. You think you’re clicking on the play button, but instead, you’re doing a “like”, “share” or “retweet” without even knowing.

 

This attack relays on cookies and session that keep alive the identity and login of the victim, for example, I do not enter my password every time I go to Facebook or Twitter, therefor someone could craft an URL and open it inside an iframe. So when I visit the attacker’s page, an iframe with a specially crafted url is opened by the browser (but invisible to the user), it will take the credentials from the browsers (if cookies and session are not cleaned) and access the iframe impersonating me, and it could do a like, share or whatever, it could make any change that the website allows me.

 

To avoid this, we included anti-csrf functionality in Osclass 3.1. It works creating two variables an storing them in the session and sending it to the user, on each form or link, the user should send back the variables and Osclass will check them against the stored values, after that, delete them to never be used again. In short, you tell the visitor a random number, and if he wants to do something on your site has to tell you that number or he will not be allowed. Each time he wants to do something, you think of a different number.

 

Most of functions that make this possible are at the end of utils.php, but in theory your only need to work with the three helpers at hSecurity.php osc_csrf_token_form, osc_csrf_token_url and osc_csrf_check.

  • osc_csrf_token_form(): Will include the two variables in form format (<input type=”hidden” />). NOTE: To maintain compatibility with themes, this  is added automatically in every form, no need to do it by yourself.
  • osc_csrf_token_url(): Will include the two variables in url format (CSRFName=ABC&CSRFToken=XYZ). NOTE: There’s no character befor “CSRFName”, sometimes you will need a “&” and others a “?”, depends on your url
  • osc_csrf_check($drop): This will perform the check if the tokens are correct or not, if not, it will ouput the message “Probable invalid request” and stop the execution of the PHP file. This function should be used on the code that receives the information. NOTE: $drop is a boolean (true / false) variable. It will drop (clear, delete) the variables every time (to be more secure), but ajax request needs to reuse the tokens, so if you’re doing an ajax request, use osc_csrf_check(false) to not clear the variables (but they will be invalid after an hour of the creation).

 

If you want to make more secure your plugins, start using these functions but remember they’re only available on Osclass 3.1 (and later)