Protecting your Drupal module against Cross Site Request Forgeries

Cross Site Request Forgeries (CSRF) are the 3rd most common vulnerability in Drupal and yet they are quite easy to protect against. The precise solution depends on where the problem is, but is never too complex to implement. To start, of course, we need to understand what CSRF actually is.

This article is now part of the Knowledge Base of Drupal security articles on Drupal Scout.

Read the rest of Protecting your Drupal module against Cross Site Request Forgeries

This page is kept so the comments posted here are available since they provide additional help and insights.

Comments

Submission

Submitted by Heine (not verified) on Fri, 12/11/2009 - 02:21.

So, you use forms for every major action on the site that changes data and you will be protected against CSRF.

Provided you only take "actions" in the submit handler (or if you know it ran already). #576276 is a proposal to prevent accidents with validation handlers.

I've recently moved to expose

Submitted by alex_b (not verified) on Fri, 12/11/2009 - 08:43.

I've recently moved to expose modifying actions exclusively as forms for exactly the http accelerators you mention. The off-chance that an important site configuration goes bye-bye because somebody visits the site with an accelerator enabled is still scary (Here's a post from '05 by 37 signals reporting how Google Web Accelerator nuked Backpack pages ).

Thank you for the writeup!

W3 guidelines for handling arguments

Submitted by Damien McKenna (not verified) on Fri, 12/11/2009 - 09:06.

There's also the issue that you shouldn't be using GET arguments for manipulating, especially deleting, data. Remember the snafu in 2005 when Google's Accelerator engine started causing problems on sites that had all of these Delete actions available as just standard links (with / without JS "confirmation") rather than via POST arguments (i.e. a form submission)? This seems like part of the same problem - you shouldn't be doing destructive actions by using GET arguments.

D7 GET protection

Submitted by Ben Jeavons on Tue, 04/06/2010 - 13:22.

There's an issue now for Drupal 7 to add token support in url(), l(), and hook_menu(). http://drupal.org/node/755584

Some tips.

Submitted by Harlow (not verified) on Sat, 02/26/2011 - 13:11.

I recently read through this article to deal with some cross request stuff in general and found it to be quite helpful. It helped me think outside the realm of Drupal a little bit which helped. Lemme know what you think.

http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

The Book, The Report

Cracking Drupal: A Drop in the Bucket

Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.

Drupal Security White Paper

Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report

Security Review Module

If you are concerned about whether your site is secure, consider using the Security Review Module to get a free review of your site's security health. Did it find problems? Consider hiring a security expert from Drupal Scout to audit your site.

Recent Blog Posts

Improvements to Security in Drupal 7

Posted by greggles

0 comments
Why counting vulnerabilities is not a sufficient method of comparing product security

Posted by greggles

0 comments
Notes from Linux Security Tunables by Kees Cook

Posted by greggles

0 comments