Bitcoin Forum

A lot of sites I've seen (Bitcoin7, Witcoin (http://security.witcoin.com/p/1810/CSRF-test)) are very vulnerable to CSRF attacks.

Use a token! Use a token!

And use https://www.owasp.org/index.php/PHP_CSRF_Guard!

Shouldn't this be in "Development"

I fully agree, though.

That's more of the bitcoin client itself.

phantomcircuit added this to Britcoin already a few days ago,
https://gitorious.org/intersango/intersango/blobs/master/www/index.php

:)

Congrats.

bitlockers.com and mtgox.com also vulnerable

https://bitoption.org/sendBTC?btc=0.1&address=1KNdGiKu8JwGSyn2R6gQ9yY9KcLJxCGXjB

Yes, bitoption.org is not just vulnerable, but they need to learn what a POST request is...

Heck, I could put that as a forum image and you /already would have been hacked./

I've just cleared my schedule for a few hours.

WTF?

There should be a bitcoin site code auditor team put together stat. Trusted coders with experience coding financial software that can give an voluntary "seal of approval". Too many people trying to get rich quick jumping in the game too quick with some basic errors.

Cuddlefish, thanks for the heads up. I'm implementing fixes right now.

As an aside, we got to it early; there is an attempted exploit out in the wild for bitoption right now, but it was unsuccesful.

p.s. try the link.

OK, we are now requiring posts and using server-generated xsrf tokens for all form submission, html or ajax.

My API developers are going to hate me for a little while, except that they are able to keep all their money, so that should help mollify them. Thanks for notifying me cuddlefish, much appreciated.

Perhaps a getToken api call that returns a CSRF token?

https://www.owasp.org/index.php/ESAPI

Re: API, yes, that's a possibility. The other option is that API devs pull the data from the cookie directly; re: ESAPI, thanks, I'll check it out.

http://forum.bitcoin.org/index.php?topic=19096.msg239696#msg239696 NoFeeMining.com: CSRFable.

Are sessions a safer way to go than cookies?

I develop php software (fortunately our users don't have money linked to their accounts) and I use sessions to track whether they are logged in.

Irrelevant. The only effective way is:
GETs for anything that doesn't issue a INSERT, DELETE, or UPDATE.
POSTs for stuff that does, and require a CSRF token.

why was this moved to offtopic?

Security seems to be about the most on topic discussion of all for bitcoin this week

I did. Suggest a better forum, I'll move it there.

But there's not a clowns forum!

http://www.youtube.com/watch?v=_B0CyOAO8y0

Sorry... What is CSRF?

I'm writing a set of Java clients for popular exchanges and for the last two days I've been debugging communications with the TradeHill API.  The error message has been ....

    Forbidden 403
   CSRF verification failed. Request aborted.

TradeHill says that they will look into their django server configuration regarding a possible fix that I found on the internet.

CSRF is an acronym for Cross Site Request Fraud, and what the original poster wants is for bitcoin financial web sites to enforce security so that someone else cannot hijack your session with the web site.  CSRF is a protocol in which the server sends to you a certain random token and which your client, e.g. web browser returns to prove that you are the same entity that originally started the session.

For example, TradeHill sends to me the following HTTP header when I perform an HTTP against their API URL at https://api-test.tradehill.com/APIv1/USD/GetBalance ..

Set-Cookie:  csrftoken=35d13f0f2708ee17b0834719b902ad65; Max-Age=31449600; Path=/  <== GENERATED BY TRADEHILL, UNIQUE FOR EACH SESSION

My subsequent API request must specify that token when performing an HTTP POST, e.g. ...

X-CSRFToken: 35d13f0f2708ee17b0834719b902ad65  <== PROVES THAT I ORIGINATED THE SESSION