csrf-magic

Securing your application against Cross-Site Request Forgery has never been easier. Why rewrite every form on your website when a program can do it for you? Simply drop this at the top of every PHP file:

require_once '/path/to/csrf-magic.php';

...and let the magic take care of the rest. Download it now! Or try out the demo.

News

csrf-magic 1.0.4 released

Posted 3:02 AM EDT on Wednesday, July 17, 2013

csrf-magic 1.0.4 contains some bug fixes for secret hashing and JavaScript support, and also has improved the default CSRF check failed splash page.

What is CSRF?

Cross-Site Request Forgery (CSRF) is a relatively new attack vector on websites today. It involves an attacker tricking a browser into performing an action on another website. Imagine this scenario: Bob, the human resources manager for a large and important company, has the ability to hire and fire with a click of a button. Specifically, a web form button. Mallory, as a practical joke, decides to stage a CSRF attack against Bob. She baits Bob with a webpage that automatically submits a form to the hire'n'fire website. The next morning, every employee finds a pink slip in his inbox.

Why csrf-magic?

The current standard for preventing CSRF is creating a nonce that every user submits with any form he/she submits. This is reasonably effective, but incredibly tedious work; if you are hand-writing your forms or have multiple avenues for POST data to enter your application, adding CSRF protection may not seem worth the trouble.

This is where csrf-magic comes into play. csrf-magic uses PHP's output buffering capabilities to dynamically rewrite forms and scripts in your document. It will also intercept POST requests and check their token (various algorithms are used; some generate nonces, some generate user-specific tokens). This means, for a traditional website with forms, you can drop csrf-magic into your application and forget about it!

External links