Bitcoin Forum
March 28, 2024, 11:26:13 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Please, protect against CSRF  (Read 4271 times)
cuddlefish (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 16, 2011, 08:03:57 PM
 #1

A lot of sites I've seen (Bitcoin7, Witcoin) are very vulnerable to CSRF attacks.

Use a token! Use a token!
1711625173
Hero Member
*
Offline Offline

Posts: 1711625173

View Profile Personal Message (Offline)

Ignore
1711625173
Reply with quote  #2

1711625173
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
cuddlefish (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 16, 2011, 08:11:57 PM
 #2

And use https://www.owasp.org/index.php/PHP_CSRF_Guard!
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
June 16, 2011, 08:21:00 PM
 #3

Shouldn't this be in "Development"

I fully agree, though.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
cuddlefish (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 16, 2011, 08:21:48 PM
 #4

Shouldn't this be in "Development"

I fully agree, though.


That's more of the bitcoin client itself.
genjix
Legendary
*
Offline Offline

Activity: 1232
Merit: 1071


View Profile
June 17, 2011, 01:10:20 AM
 #5

phantomcircuit added this to Britcoin already a few days ago,
https://gitorious.org/intersango/intersango/blobs/master/www/index.php

Smiley
cuddlefish (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 17, 2011, 01:25:29 AM
 #6

phantomcircuit added this to Britcoin already a few days ago,
https://gitorious.org/intersango/intersango/blobs/master/www/index.php

Smiley

Congrats.
cuddlefish (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 18, 2011, 03:54:43 AM
 #7

bitlockers.com and mtgox.com also vulnerable
cuddlefish (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 18, 2011, 04:15:16 AM
 #8

https://bitoption.org/sendBTC?btc=0.1&address=1KNdGiKu8JwGSyn2R6gQ9yY9KcLJxCGXjB

Yes, bitoption.org is not just vulnerable, but they need to learn what a POST request is...

Heck, I could put that as a forum image and you /already would have been hacked./
bitoption
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile WWW
June 18, 2011, 04:52:45 AM
 #9

I've just cleared my schedule for a few hours.
lemonginger
Full Member
***
Offline Offline

Activity: 210
Merit: 100


firstbits: 121vnq


View Profile
June 18, 2011, 05:28:29 AM
 #10

WTF?

There should be a bitcoin site code auditor team put together stat. Trusted coders with experience coding financial software that can give an voluntary "seal of approval". Too many people trying to get rich quick jumping in the game too quick with some basic errors.
bitoption
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile WWW
June 18, 2011, 05:44:15 AM
 #11

Cuddlefish, thanks for the heads up. I'm implementing fixes right now.

As an aside, we got to it early; there is an attempted exploit out in the wild for bitoption right now, but it was unsuccesful.
bitoption
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile WWW
June 18, 2011, 05:53:01 AM
 #12

p.s. try the link.
bitoption
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile WWW
June 18, 2011, 09:44:48 AM
 #13

OK, we are now requiring posts and using server-generated xsrf tokens for all form submission, html or ajax.

My API developers are going to hate me for a little while, except that they are able to keep all their money, so that should help mollify them. Thanks for notifying me cuddlefish, much appreciated.
cuddlefish (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 18, 2011, 05:53:36 PM
 #14

OK, we are now requiring posts and using server-generated xsrf tokens for all form submission, html or ajax.

My API developers are going to hate me for a little while, except that they are able to keep all their money, so that should help mollify them. Thanks for notifying me cuddlefish, much appreciated.


Perhaps a getToken api call that returns a CSRF token?
randomguy7
Hero Member
*****
Offline Offline

Activity: 527
Merit: 500


View Profile
June 18, 2011, 06:07:51 PM
 #15

https://www.owasp.org/index.php/ESAPI
bitoption
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile WWW
June 18, 2011, 07:13:01 PM
 #16

Re: API, yes, that's a possibility. The other option is that API devs pull the data from the cookie directly; re: ESAPI, thanks, I'll check it out.
cuddlefish (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 18, 2011, 09:09:48 PM
 #17

http://forum.bitcoin.org/index.php?topic=19096.msg239696#msg239696 NoFeeMining.com: CSRFable.
nrd525
Legendary
*
Offline Offline

Activity: 1867
Merit: 1023


View Profile
June 20, 2011, 06:17:47 AM
 #18

Are sessions a safer way to go than cookies?

I develop php software (fortunately our users don't have money linked to their accounts) and I use sessions to track whether they are logged in.

Digital Gold for Gamblers and True Believers
cuddlefish (OP)
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
June 20, 2011, 06:23:40 AM
 #19

Are sessions a safer way to go than cookies?

I develop php software (fortunately our users don't have money linked to their accounts) and I use sessions to track whether they are logged in.
Irrelevant. The only effective way is:
GETs for anything that doesn't issue a INSERT, DELETE, or UPDATE.
POSTs for stuff that does, and require a CSRF token.
lemonginger
Full Member
***
Offline Offline

Activity: 210
Merit: 100


firstbits: 121vnq


View Profile
June 20, 2011, 03:34:21 PM
 #20

why was this moved to offtopic?

Security seems to be about the most on topic discussion of all for bitcoin this week
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!