|
| 1 | +--- |
| 2 | +title: Protecting against Cross-Site Request Forgery (CSRF) attack |
| 3 | +description: Handling Cross-Site Request Forgery (CSRF) issue in Fano Framework |
| 4 | +--- |
| 5 | + |
| 6 | +<h1 class="major">Cross-Site Request Forgery (CSRF)</h1> |
| 7 | + |
| 8 | +## What is CSRF? |
| 9 | + |
| 10 | +According to [OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) |
| 11 | + |
| 12 | +> Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. |
| 13 | +
|
| 14 | +## Protecting against CSRF with middleware |
| 15 | + |
| 16 | +Fano Framework provides built-in middleware class `TCsrfMiddleware` which is to simplify task for protecting against CSRF attack. Read [Middlewares](/middlewares) for more information about working with middlewares. |
| 17 | + |
| 18 | +Constructor of `TCsrfMiddleware` expects `ISessionManager` interface instance which responsible to maintain CSRF token between request, `ICsrf` instance wchich responsible to generate CSRF token and also check token in request against stored token. |
| 19 | + |
| 20 | +## Register global middleware list |
| 21 | + |
| 22 | +``` |
| 23 | +container.add('globalMiddlewares', TMiddlewareListFactory.create()); |
| 24 | +globalMiddlewares := container.get('globalMiddlewares') as IMiddlewareList; |
| 25 | +``` |
| 26 | + |
| 27 | +## Register CSRF middleware with container |
| 28 | + |
| 29 | +Fano Framework has `TCsrfMiddlewareFactory` class which allows you to register `TCsrfMiddleware` service container. |
| 30 | + |
| 31 | +``` |
| 32 | +container.add( |
| 33 | + 'verifyCsrfToken', |
| 34 | + TCsrfMiddlewareFactory.create() |
| 35 | +); |
| 36 | +``` |
| 37 | + |
| 38 | +## Register dispatcher with support middleware |
| 39 | + |
| 40 | +We need to use dispatcher class which support middlewares and sessions. |
| 41 | + |
| 42 | +``` |
| 43 | +container.add( |
| 44 | + GuidToString(IDispatcher), |
| 45 | + TSessionDispatcherFactory.create( |
| 46 | + globalMiddlewares as IMiddlewareLinkList, |
| 47 | + container.get(GuidToString(IRouteMatcher)) as IRouteMatcher, |
| 48 | + TRequestResponseFactory.create(), |
| 49 | + container.get(GuidToString(ISessionManager)) as ISessionManager, |
| 50 | + (TCookieFactory.create()).domain(config.getString('cookie.domain')), |
| 51 | + config.getInt('cookie.maxAge') |
| 52 | + ) |
| 53 | +); |
| 54 | +``` |
| 55 | + |
| 56 | +## Attach CSRF middleware to application middleware |
| 57 | + |
| 58 | +Attach CSRF middleware instance to application middleware collection to ensure |
| 59 | +CSRF middleware is executed for all application routes. |
| 60 | + |
| 61 | +``` |
| 62 | +globalMiddlewares.add(container.get('verifyCsrfToken') as IMiddleware) |
| 63 | +``` |
| 64 | + |
| 65 | +## Get current CSRF token |
| 66 | + |
| 67 | +When you attach `TCsrfMiddleware` middleware to application middleware list, everytime request is coming, new random token and name can be read from currnt session variable. |
| 68 | + |
| 69 | +``` |
| 70 | +function THomeController.handleRequest( |
| 71 | + const request : IRequest; |
| 72 | + const response : IResponse; |
| 73 | + const args : IRouteArgsReader |
| 74 | +) : IResponse; |
| 75 | +var sess : ISession; |
| 76 | +begin |
| 77 | + sess := fSessionManager.getSession(request); |
| 78 | + viewParams.setVar('csrfName', sess.getVar('csrf_name')); |
| 79 | + viewParams.setVar('csrfToken', sess.getVar('csrf_token')); |
| 80 | + result := inherited handleRequest(request, response, args); |
| 81 | +end; |
| 82 | +``` |
| 83 | + |
| 84 | +By default, name and token field is `csrf_name` and `csrf_token` respectively. When you build your HTML form, you need to ensure correct name is used, |
| 85 | + |
| 86 | +``` |
| 87 | +<form method="post" action="/"> |
| 88 | + <input type="hidden" name="csrf_name" value="{{csrfName}}"> |
| 89 | + <input type="hidden" name="csrf_token" value="{{csrfToken}}"> |
| 90 | +... |
| 91 | +</form> |
| 92 | +``` |
| 93 | + |
| 94 | +## Configure CSRF settings |
| 95 | + |
| 96 | +`TCsrfMiddlewareFactory` class provides several methods to help configure CSRF |
| 97 | +settings. |
| 98 | + |
| 99 | +### Change name and token field |
| 100 | + |
| 101 | +To change name and token field |
| 102 | + |
| 103 | +``` |
| 104 | +var factory : IDependencyFactory; |
| 105 | +... |
| 106 | +factory := TCsrfMiddlewareFactory.create() |
| 107 | + .nameField('my_cool_name') |
| 108 | + .tokenField('my_cool_token'); |
| 109 | +``` |
| 110 | +You need to ensure correct name is used in HTML form. |
| 111 | +``` |
| 112 | +<form method="post" action="/"> |
| 113 | + <input type="hidden" name="my_cool_name" value="{{csrfName}}"> |
| 114 | + <input type="hidden" name="my_cool_token" value="{{csrfToken}}"> |
| 115 | +... |
| 116 | +</form> |
| 117 | +``` |
| 118 | + |
| 119 | +## Explore more |
| 120 | + |
| 121 | +- [Middlewares](/middlewares) |
| 122 | +- [Dispatcher](/dispatcher) |
| 123 | +- [Fano Csrf example application](https://github.com/fanoframework/fano-csrf) |
| 124 | + |
| 125 | +<ul class="actions"> |
| 126 | + <li><a href="/documentation" class="button">Documentation</a></li> |
| 127 | +</ul> |
0 commit comments