Securing your application against Cross-Site Request Forgery has never been easier. Why rewrite every form on your website when a program can do it for you? Simply drop this at the top of every PHP file:
require_once '/path/to/csrf-magic.php';
...and let the magic take care of the rest. Download it now! Or try out the demo.
News
csrf-magic 1.0.4 released
csrf-magic 1.0.4 contains some bug fixes for secret hashing and JavaScript support, and also has improved the default CSRF check failed splash page.
What is CSRF?
Cross-Site Request Forgery (CSRF) is a relatively new attack vector on websites today. It involves an attacker tricking a browser into performing an action on another website. Imagine this scenario: Bob, the human resources manager for a large and important company, has the ability to hire and fire with a click of a button. Specifically, a web form button. Mallory, as a practical joke, decides to stage a CSRF attack against Bob. She baits Bob with a webpage that automatically submits a form to the hire'n'fire website. The next morning, every employee finds a pink slip in his inbox.
Why csrf-magic?
The current standard for preventing CSRF is creating a nonce that every user submits with any form he/she submits. This is reasonably effective, but incredibly tedious work; if you are hand-writing your forms or have multiple avenues for POST data to enter your application, adding CSRF protection may not seem worth the trouble.
This is where csrf-magic comes into play. csrf-magic uses PHP's output buffering capabilities to dynamically rewrite forms and scripts in your document. It will also intercept POST requests and check their token (various algorithms are used; some generate nonces, some generate user-specific tokens). This means, for a traditional website with forms, you can drop csrf-magic into your application and forget about it!
External links
- repo.or.cz, the location of our Git source code repository. Bleeding edge development builds can be found here. They are also mirrored here.
- CSRFx, a similar library with similar goals. They haven't made a release yet, but the code in the repository is working.
- Django CSRF Middleware, an extension for the Python web framework that has the same basic ideas as ours for rewriting output.
- Direct Web Remoting, a JavaScript/Java framework that features AJAX rewriting for CSRF protection.
- HTML Purifier, a standards-compliant XSS filter. If your site is vulnerable to XSS, the best CSRF protection in the world won't save you.