Cross-Site Request Forgery (CSRF)

Overview

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like adding new users, changing their email address, and so forth. If the victim is part of a "Super Admin" user group, CSRF can compromise the entire web application.

How to prevent

Use generateFormToken($form_id) to render a hidden input tag with the CSRF token for this form (mentioned in the form_id argument).

Always enforcePostRequest($ajax) when processing state-changing operations. Most common use case should be enforcePostRequest(getval("ajax", false)).

Add CSRF tokens until you no longer have failed CSRF validation errors. Add enforcePostRequest() where needed and double check the process works by attempting the same request using the GET method.

For AJAX requests, please use echo generateAjaxToken($form_id); in your post data. This will add a JSON "identifier: value" pair. IMPORTANT: make sure generateAjaxToken() is always used at the end of post data and there is no comma after it as this function will return an empty string if CSRF is disabled on a system.

If there is ever a need to use these in a pure JS file, then the identifier should be set using the $CSRF_token_identifier configuration option and the token generated using generateCSRFToken().