Anti-CSRF token on homepage only

[Phil]

Hi, we have BPS Pro installed to address a security scan that found we had no anti-CSRF token.

Now that BPS Pro is running, the scan has been re-run and identified the anti-CSRF token on the homepage only.

Please could you point me to info to ensure the token is included on ALL pages & posts?

Many thanks,

Phil.

[AITpro Admin]

I would need more information to be able to help.  What are you using for your Anti CSRF Token protection?  Are you using CORS?  You cannot use CORS with Anti CSRF Tokens.  WordPress uses Nonces for CSRF protection.  If you want to protect forms (contact, etc.) you can use Google reCaptcha for your forms. It will protect your forms against CSRF attacks and also protects you from spam bots.

[Phil]

Thanks for your quick response.  BPS was recommended by WPEngine to address the absence of anti-CSRF tokens.  My understanding was that anti-CSRF protection is a default capability of BPS so no additional configuration was carried out.  Just installed and hit “go”!

CORS setup was also criticised in the security review.  We addressed this by a<span class=”TextRun SCXO242397278 BCX8″ lang=”EN-GB” xml:lang=”EN-GB” data-contrast=”auto”><span class=”NormalTextRun SCXO242397278 BCX8″>dding the XSS header in WPEngine.</span></span><span class=”EOP SCXO242397278 BCX8″> </span>

All forms have reCaptcha setup on them.

But there are pages without forms showing up as having no anti-CSRF token.

Thanks,

Phil.

[AITpro Admin]

Either I am missing something here or misunderstanding the use of this phrase “Anti CSRF Tokens”.  From my understanding you ONLY need Anti CSRF Tokens for Forms and nothing else. BPS does offer CSRF attack protection, but does not add or interfere with any existing forms that belong to other plugins, such as Contact Forms or other Forms.  If all of your Forms are already protected then you are good to go. The BPS htaccess code does block malicious GET scripts that are targeted at any website page, not just Forms.

Note:  If you are using some 3rd party online security analysis tool it will see that you home page has Anti CSRF Token protection if you are using Google reCaptcha even if you do not have any Forms on your home page.  If you have Google reCaptcha on your Contact Form page then if you test your Contact page you should see that it has Anti CSRF Token protection.

[Phil]

Thanks very much for that update.  I’ll forward your note to the team that did the security scan and we’ll see what response that provokes.  I’ll be back in touch to close the thread.

Thanks again,

Phil.

[AITpro Admin]

https://en.wikipedia.org/wiki/Cross-site_request_forgery

Limitations

Several things have to happen for cross-site request forgery to succeed:

1. The attacker must target either a site that doesn’t check the referrer header or a victim with a browser or plugin that allows referer spoofing.^[22]

2. The attacker must find a form submission at the target site, or a URL that has side effects, that does something (e.g., transfers money, or changes the victim’s e-mail address or password).

3. The attacker must determine the right values for all the forms or URL inputs; if any of them are required to be secret authentication values or IDs that the attacker can’t guess, the attack will most likely fail (unless the attacker is extremely lucky in their guess).

4. The attacker must lure the victim to a web page with malicious code while the victim is logged into the target site.

There are other JavaScript, Cookie and Header exploit methods, but they require exploiting flawed code and are very difficult to pull off. So the most common attack vector is exploiting website Forms.

[Author]

Posts