Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough

Drupal 8 security features: Cross site request forgery (XSRF)

Parent Feed: 

By Janez Urevc on

Cross site request forgery (XSRF)

Cross site request forgery is a vulnerability that allows attackers to transmit unauthorized commands from a 3rd party site to the site that trusts the given user. Its results can be similar to XSS, but it works in a slightly different way.

Let’s assume there would exist an URL, that would allow users to delete a Drupal node without confirmation. In this case attacker could build a web page that would try to trick someone with admin permissions on the attacked site to click on a link to that URL. Drupal’s confirmation page comes into the equation at this point.

Looks familiar?

Yes, this page does not exist to annoy you and your clients since “it introduces a UX regression due to an extra click”. It is actually there to protect you from the XSRF attacks. Thank you Drupal!

Another way of XSRF attack is through a form. Let’s assume attacker could trick admin user to do an unauthorized POST request to the permissions form in Drupal. This could have disastrous results.

In order to prevent that Drupal’s form API generates unique form token (using SHA256 HMAC and a secret key) each time a form is loaded or updated. If the token is missing or changed it won’t allow submissions of that form. This ensures that the user that is submitted the form actually loaded it too.

General Drupal’s recommendation is to never use custom HTML forms and to use Form API instead.

Example

Someone tries to do a POST request on admin user’s behalf. But since that person doesn’t know what is the valid value for the form token it tries to submit without it or with some arbitrary value.

Drupal detects that and refuses to accept the submitted data:

Author: 
Original Post: 

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web