Reputation: 3297
CSRF risk in Ajax
I'm using Symfony2 and protecting my forms with a CSRF token.
I have a comments system based on Ajax calls. If a user wants to edit his comment, here's what's happening:
- A user hits the edit button.
- A "fresh" comment edit form is loaded via ajax.
- The user edit and submit the form via ajax.
- The edited comment is sent back in response.
Is loading the "fresh" edit form via ajax a security risk?
If the form were already in the loaded page and couldn't be requested via ajax, an attacker could not guess the CSRF Token, but since he can request the form he can get his hands on the Token..
Couldn't he..?
Maybe an example will make it clearer:
Dave is an innocent registered user in my site (www.acme.com).
Dave logged in my site and then visited www.evil.com. He doesn't know that, but when he visited evil.com a script was executed.
The script sent an ajax request to www.acme.com/comments/123/edit and got the edit form in response.
It then filled in that form with it's malicious content and submitted that form (again, with ajax).
Will evil's evil plan work?
Upvotes: 3
Views: 448
Answers (1)
Reputation: 4860
As far as i understand, there is no risk if your form contains CSRF token field. Default Symfony2 CSRF token depends on session which is not availiable for the attacker (and also on intention). So when the attacker requests the form there is attacker's (not user's) session id used.
Upvotes: 2
Related Questions
- Symfony CSRF and Ajax
- CSRF protection in a Rest API
- Disable symfony 2 csrf token protection on ajax submit
- CSRF and RESTful API (symfony2, php)
- How to add CSRF protection to AJAX call on Symfony3?
- Symfony 3, "ajax request" with fetch API, and CSRF
- CSRF protection with Symfony
- CSRF validation needed or not when using RESTful API?
- Symfony2 Form with CSRF passed through JQuery AJAX
- CSRF attack detected when submitting data using ajax