Bitcoin Forum
December 07, 2016, 04:37:18 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Please, protect against CSRF  (Read 3951 times)
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 16, 2011, 08:03:57 PM
 #1

A lot of sites I've seen (Bitcoin7, Witcoin) are very vulnerable to CSRF attacks.

Use a token! Use a token!

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481128638
Hero Member
*
Offline Offline

Posts: 1481128638

View Profile Personal Message (Offline)

Ignore
1481128638
Reply with quote  #2

1481128638
Report to moderator
1481128638
Hero Member
*
Offline Offline

Posts: 1481128638

View Profile Personal Message (Offline)

Ignore
1481128638
Reply with quote  #2

1481128638
Report to moderator
1481128638
Hero Member
*
Offline Offline

Posts: 1481128638

View Profile Personal Message (Offline)

Ignore
1481128638
Reply with quote  #2

1481128638
Report to moderator
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 16, 2011, 08:11:57 PM
 #2

And use https://www.owasp.org/index.php/PHP_CSRF_Guard!

wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
June 16, 2011, 08:21:00 PM
 #3

Shouldn't this be in "Development"

I fully agree, though.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 16, 2011, 08:21:48 PM
 #4

Shouldn't this be in "Development"

I fully agree, though.


That's more of the bitcoin client itself.

genjix
Legendary
*
Offline Offline

Activity: 1232


View Profile
June 17, 2011, 01:10:20 AM
 #5

phantomcircuit added this to Britcoin already a few days ago,
https://gitorious.org/intersango/intersango/blobs/master/www/index.php

Smiley
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 17, 2011, 01:25:29 AM
 #6

phantomcircuit added this to Britcoin already a few days ago,
https://gitorious.org/intersango/intersango/blobs/master/www/index.php

Smiley

Congrats.

cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 18, 2011, 03:54:43 AM
 #7

bitlockers.com and mtgox.com also vulnerable

cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 18, 2011, 04:15:16 AM
 #8

https://bitoption.org/sendBTC?btc=0.1&address=1KNdGiKu8JwGSyn2R6gQ9yY9KcLJxCGXjB

Yes, bitoption.org is not just vulnerable, but they need to learn what a POST request is...

Heck, I could put that as a forum image and you /already would have been hacked./

bitoption
Jr. Member
*
Offline Offline

Activity: 56


View Profile WWW
June 18, 2011, 04:52:45 AM
 #9

I've just cleared my schedule for a few hours.

----** In Beta: The First Bitcoin Options Market ----**

Explanation and discussion: http://forum.bitcoin.org/index.php?topic=9611.0

API Developer Thread:
http://forum.bitcoin.org/index.php?topic=14194.0

-----------------------------------------------------------
lemonginger
Full Member
***
Offline Offline

Activity: 210


firstbits: 121vnq


View Profile
June 18, 2011, 05:28:29 AM
 #10

WTF?

There should be a bitcoin site code auditor team put together stat. Trusted coders with experience coding financial software that can give an voluntary "seal of approval". Too many people trying to get rich quick jumping in the game too quick with some basic errors.
bitoption
Jr. Member
*
Offline Offline

Activity: 56


View Profile WWW
June 18, 2011, 05:44:15 AM
 #11

Cuddlefish, thanks for the heads up. I'm implementing fixes right now.

As an aside, we got to it early; there is an attempted exploit out in the wild for bitoption right now, but it was unsuccesful.

----** In Beta: The First Bitcoin Options Market ----**

Explanation and discussion: http://forum.bitcoin.org/index.php?topic=9611.0

API Developer Thread:
http://forum.bitcoin.org/index.php?topic=14194.0

-----------------------------------------------------------
bitoption
Jr. Member
*
Offline Offline

Activity: 56


View Profile WWW
June 18, 2011, 05:53:01 AM
 #12

p.s. try the link.

----** In Beta: The First Bitcoin Options Market ----**

Explanation and discussion: http://forum.bitcoin.org/index.php?topic=9611.0

API Developer Thread:
http://forum.bitcoin.org/index.php?topic=14194.0

-----------------------------------------------------------
bitoption
Jr. Member
*
Offline Offline

Activity: 56


View Profile WWW
June 18, 2011, 09:44:48 AM
 #13

OK, we are now requiring posts and using server-generated xsrf tokens for all form submission, html or ajax.

My API developers are going to hate me for a little while, except that they are able to keep all their money, so that should help mollify them. Thanks for notifying me cuddlefish, much appreciated.

----** In Beta: The First Bitcoin Options Market ----**

Explanation and discussion: http://forum.bitcoin.org/index.php?topic=9611.0

API Developer Thread:
http://forum.bitcoin.org/index.php?topic=14194.0

-----------------------------------------------------------
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 18, 2011, 05:53:36 PM
 #14

OK, we are now requiring posts and using server-generated xsrf tokens for all form submission, html or ajax.

My API developers are going to hate me for a little while, except that they are able to keep all their money, so that should help mollify them. Thanks for notifying me cuddlefish, much appreciated.


Perhaps a getToken api call that returns a CSRF token?

randomguy7
Hero Member
*****
Offline Offline

Activity: 528


View Profile
June 18, 2011, 06:07:51 PM
 #15

https://www.owasp.org/index.php/ESAPI
bitoption
Jr. Member
*
Offline Offline

Activity: 56


View Profile WWW
June 18, 2011, 07:13:01 PM
 #16

Re: API, yes, that's a possibility. The other option is that API devs pull the data from the cookie directly; re: ESAPI, thanks, I'll check it out.

----** In Beta: The First Bitcoin Options Market ----**

Explanation and discussion: http://forum.bitcoin.org/index.php?topic=9611.0

API Developer Thread:
http://forum.bitcoin.org/index.php?topic=14194.0

-----------------------------------------------------------
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 18, 2011, 09:09:48 PM
 #17

http://forum.bitcoin.org/index.php?topic=19096.msg239696#msg239696 NoFeeMining.com: CSRFable.

nrd525
Legendary
*
Offline Offline

Activity: 1183


View Profile
June 20, 2011, 06:17:47 AM
 #18

Are sessions a safer way to go than cookies?

I develop php software (fortunately our users don't have money linked to their accounts) and I use sessions to track whether they are logged in.

Don't day trade.
cuddlefish
Full Member
***
Offline Offline

Activity: 126



View Profile
June 20, 2011, 06:23:40 AM
 #19

Are sessions a safer way to go than cookies?

I develop php software (fortunately our users don't have money linked to their accounts) and I use sessions to track whether they are logged in.
Irrelevant. The only effective way is:
GETs for anything that doesn't issue a INSERT, DELETE, or UPDATE.
POSTs for stuff that does, and require a CSRF token.

lemonginger
Full Member
***
Offline Offline

Activity: 210


firstbits: 121vnq


View Profile
June 20, 2011, 03:34:21 PM
 #20

why was this moved to offtopic?

Security seems to be about the most on topic discussion of all for bitcoin this week
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!