[ACCEPTED]-Am I under risk of CSRF attacks in a POST form that doesn't require the user to be logged in?-csrf

Accepted answer
Score: 36

There's means of CSRF whenever malicious HTML 45 or JavaScript which is targeted on your website 44 is been embedded in another HTML page (or an email 43 message) which is been successfully executed.

An 42 example is the following which is been placed 41 in another webpage which innocently asks 40 for your name and age before proceeding:

<form action="http://yoursite.com/transferfunds" method="post">
    Your name: <input type="text"><br>
    Your age: <input type="text"><br>
    <input type="submit">
    <input type="hidden" name="amount" value="1000">
    <input type="hidden" name="toaccount" value="12345678">

Note 39 that the action points to your website and 38 that the hidden inputs contains the needed 37 POST information. This example will try 36 to transfer a fund of 1000 (in whatever 35 currency) to account number 12345678. If 34 you require a login on your form and also 33 actually checks on that, then the above 32 will of course only be successfully executed 31 if the unaware user has recently logged 30 in your website, but not logged out yet, or 29 the session is not expired yet.

To prevent 28 that to happen, your best bet is to add 27 a request based token to the form and validate 26 it in the server side. I.e. generate a long, unique 25 and impossible-to-guess random string which 24 you store in the session and embed as <input type="hidden"> element 23 of the form. When the form is submitted, compare 22 the submitted token value with the one already 21 in session (and immediately remove the one 20 in session). To go a step further, make 19 use of a CAPTCHA.

In your particular case, I think 18 you're actually more worrying about XSS, which 17 is an opposite of CSRF, but which in turn 16 can also be a source for CSRF. An example 15 of XSS is when the user enters the following 14 in an input field which is going to be redisplayed 13 sooner or later at the same website:

<form name="delete" action="admin/deleteusers" method="post"></form>

Whenever 12 you -as being the administrator- views the 11 page with the comment with the (invisible!) form 10 and script inside, then it will be successfully 9 executed.

Preventing XSS is actually quite 8 easy. Just HTML-escape any user-controlled input (i.e. request URL, request 7 headers, request parameters and request 6 body) prior to displaying them at the webpage. In 5 PHP you can use htmlspecialchars() for this and in Java/JSP 4 the JSTL fn:escapeXml(). This way under each the < will 3 be converted to &lt; and > to &gt; which will make 2 that any entered HTML/JS will be displayed 1 literally as-is and thus can't be executed.

More Related questions