CSRF Slides

Jeremiah Grossman posted some good slides about the issue of Cross-Site Request Forgeries (CSRF).  We tackled this security issue in WordPress two years ago.  I wrote an article about the issue that still holds true (plugin authors should definitely give it a read if any of this sounds unfamiliar).  Our method is the token method, with fallback to a slightly modified version of the Are You Sure? method for plugins that haven’t properly implemented the token method.  It was a large effort to implement it, but it has paid off handsomely.  CSRF is largely a non-issue in WordPress, which means we can focus our efforts on XSS and SQL injection vectors.

5 thoughts on “CSRF Slides

  1. Dude, you pretty much already solve the XSS with KSES or HTML Purifier, and SQL Injection is almost solved with the prepare emulator function.

    Nothing is 100%, but okay, it would be difficult for most to hack WordPress.

  2. Mark, sent.

    Jacob, in theory, yes. But with CSRF there was a concerted effort to “nonce” all the forms. There are many more SQL injection and XSS “points of attack” than there are forms to attack with CSRF, and all it takes is missing one. I’m hoping the prepare stuff will help, but it hasn’t yet been fully implemented (getting there for 2.6, though!) We also need to have more eyes on new code, checking them to make sure they’re using our security/escaping/sanitization functions.

Comments are closed.