CSRF Protection

Home Forums BulletProof Security Free CSRF Protection

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #14877
    Darwin
    Participant

    After submitting my website to a vulnerability scanning service, they came back and said that we have a “HTML form without CSRF protection.” After doing a little research a few websites mentioned using BPS, however I have not seen anything mentioned about CSRF on any support forms. The only mention of CSRF is in the plugin description. How do I know if CSRF protection is enabled? Do I have to sort of activate it by adding custom code? Any help on how to enable CSRF protection within the plugin would be very helpful. Thank you.

    #14878
    AITpro Admin
    Keymaster

    CSRF protection is included in the standard BPS .htaccess code/files and WordPress itself.  Is the HTML form outside of WordPress?  Is it part of another website? WordPress has these Form checking conditions available that should be used in all plugins and theme Forms:

    if (isset($_POST['blah']) && current_user_can('manage_options')) {
    check_admin_referer( 'blah' );
    
    and then in the Form a nonce is used to check the Referer:  wp_nonce_field('blah');
    #14879
    Darwin
    Participant

    Thank you AITpro_Admin for the quick response. No the form we are using is Contact Form 7, a WordPress plugin.

    Where would I put the code you just gave me at? Within the page the form is on itself?

    #14880
    AITpro Admin
    Keymaster

    I doubt very seriously that Contact Form 7 has a CSRF vulnerability (give that about a 1 in 10,000 chance).  What is much more likely is the vulnerability scanner is wrong (give that about a 98% chance).  Scanners have a high failure/false flag ratio.  What you should do is use 2 other scanners that have the capability to check for CSRF vulnerabilities or just assume the scanner is wrong because it is wrong.

    #14881
    Darwin
    Participant

    Thank you very much for your help. I can’t believe you guys responded so fast. Thank you again!

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.