php - Cross-Site Forgeries (CSRF) and Public Application Interface -


looking tightening security , prevent cross-site request forgery attacks. understand tokenization forms less clear on object instances.

according owasp exploit criteria includes 1. web user needs authenticated , 2. csrf attacks target state-changing requests.

at issue: have public facing photo gallery database driven content. application authenticated database, not web user.

on initial page load (initial state), viewer(html) request lightbox of thumbnail images application. web user clicks on thumbnail load images associated gallery. click event reloads page passing variable (gallery id) controller script. controller creates new instance of params array.

the application starts session, not viewer html.

here public interface application, else protected or private.

viewer.php

 /*    * class params   */ if( isset($gid) && $gid!=null ) {   /* show project gallery images */   $params['ticket'] = "gallery";   $params['active'] = "y";   $params['gid'] = $gid; } else {   /* show lightbox thumbnails */   $params['ticket'] = "lightbox";   $params['active'] = "y"; } /* later in html body, instance object */   $cobj = accesswrapper::factory($params);   $cobj->jobrequest();   unset($params);   unset($cobj);

factory.php

 /**  * @api  * @return void  * instantiates sub class passed viewer  *   * @param array $params, [ticket] subclass name  * pforeman, object interface  */  class accesswrapper {     public static function factory($params) {          $ticket = $params['ticket'];          switch($ticket) {  //route appropriate sub class           case $ticket=="lightbox":             $inst = new lightbox($params);           break;           case $ticket=="gallery";             $inst = new gallery($params);           break;                 }        if ($inst instanceof pforeman) {         return $inst;       } else {         return void;       }      }     }

questions: process need token? , enough stop csrf?

you don't need worry csrf if request trivial updates (more on definition of "trivial updates" below). in typical csrf attack have:

  1. user logged website cookies website.
  2. in same browser session, user accesses website b.
  3. website b causes browser access url on website a.
  4. website responds request thinking came user.

because of same origin policy, website b can't see response of access; can cause access occur. if request trivial updates, user's browser display content site when accessing site b, know user entitled see data anyway because site have rejected request otherwise.

the user may freak out bit, call support of website a, whatever, there no data breach.

if requests more trivial updates, website b has caused user take action on site without being intent. bad user , site a.

so trivial updates safe without csrf protection. else needs protection.

"trivial updates" mean different things different sites. example, updating someone's bank balance not trivial. logging balance request in database trivial update? how performing time-consuming query? site's technical , business model determine consider trivial updates , acceptable leave unprotected csrf , feel must protected.

in model of app-authentication not user authentication, don't need worry csrf accesses public.

one final note, idea add no csrf protection on logout functionality. helps ensure user can logout, if bug happens in csrf validation. said, risk of site b can force logout of user site a. have pick makes sense you.


Comments

Post a Comment

Popular posts from this blog

python - Mongodb How to add addtional information when aggregating? -

i beginner , wrote line pipeline works, wanna add other information output, screen name , or number of tweets.i tried add under $group gave me syntax error everytime here pipeline: def make_pipeline(): # complete aggregation pipeline pipeline = [ { '$match': { "user.statuses_count": {"$gt":99 }, "user.time_zone": "brasilia" } }, { "$group": { "_id": "$user.id", "followers": { "$max": "$user.followers_count" } } }, { "$sort": { "followers": -1 } }, { "$limit" : 1 } ]; i using on example : { "_id" : objectid("5304e2e3cc9e684aa98bef97"), "text" : "first week of school on :p", "in_reply_to_status_id" : null, "retweet_count" : null, ...
Read more

java - Spring Data JPA: Why findOne(id) executing delete query internally? -

i have 1 application using @manytomany annotation link 2 different entities 1 parent entity. not sure if have implemented properly. when execute .findone() on parent entity's repository find it, @ first fetch data along executing delete queries internally delete record mapping table (a table jpa creates after adding @manytomany annotation.). following generated sql queries , code snippet: java class @entity @table(name = "inventory") public class inventory { @id long id; // many other properties @manytomany(fetch=fetchtype.lazy) private list<stream> streams; @manytomany(fetch=fetchtype.lazy) private list<subject> subjects; } there no other annotation i've put in stream , subject entity class link inventory class. when run app, create following tables: inventory stream subject inventory_stream inventory_subject (inventory_stream , inventory_subject, 2 tables created automatically, don't k...
Read more

java - Incorrect order of records in M-M relationship in hibernate -

Image
i have 4 records in bridge table in mysql database. using @manytomany in hibernate, accurate order of employees incorrect incorrect of projects. following required material figure out doing mistake. this source. @entity @table(name="project") public class projectbean { @id @generatedvalue @column(name="project_id") private int projectid; @column(name="title") private string projecttitle; @manytomany(mappedby="projects") private collection<employeebean> employees; public projectbean() { employees = new arraylist<employeebean>(); } //getters & setters } @entity @table(name="employee") public class employeebean { @id @generatedvalue @column(name="employee_id") private int employee_id; @column(name="first_name") private string ...
Read more