Re: [pylons-discuss] What is the best practice to protect GET request against CSRF attacks?

Wed, 02 Jul 2014 08:00:16 -0700 

On Jul 2, 2014, at 7:29, Torsten Irländer <[email protected]> wrote:

> Hi,
> 
> I need to protect some of my GET requests in the application against CSRF 
> attacks. 
> AFAIKS many (if not all) resources writing about CSRF protection say that 
> this is usually only need to be done for POST requests which will change data 
> or the state of the application. However I feel the need to protect some GET  
> requests because they return sensitive information which must be prevented 
> because of e.g data privacy. I think i need to provide the token within the 
> GET parameters of the request. I am using per request CSRF-Tokens, so the 
> issue of disclosure the tokens in the URL as described on OWASP [0] should be 
> not a big deal.

The reason you use CSRF tokens is to protect a web form from being submitted 
from a 3rd party site, and thus invalid data being inserted into your site, 
since JavaScript can make POST requests, this is generally a good idea to stop 
a web spammer from spamming your site with invalid data or spam. GET requests 
are (SHOULD be) idempotent and don’t allow an attacker to insert data into your 
site, nor modify data.

Even if you were to use CSRF tokens, it wouldn’t add any extra protection to 
your site. You should be checking permission for the current logged in user, 
setting appropriate cache values and everything along those lines before you 
return the page to the user, if the user doesn’t have access because of 
permissions, don’t display the data.

> 
> Now I am thinking about the best way to do this in pyramid.
> 
> Currently i am thinking about implementing the following simple idea:
> 
> 1. Write a wrapper method for the various "route" methods in pyramid.request 
> which adds the current csrf token to the GET parameters.
> 2. Check the token by providing the check_csrf  parameter to the add_view 
> methood.
> 
> Do you think this is a good approach, or what would be your advice?

I don’t think adding CSRF tokens to a GET request makes sense from a security 
stand-point.

> 
> While writing this I am wondering if it would be possible (maybe it is 
> already i did not have tried it) if the route methods can automatically add 
> the current csrf token to the URL in case the related view has set the 
> check_csrf parameter.
> 
> [0]  
> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL
> 
> Torsten


Bert JW Regeer

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to