Admin Tools

Wednesday, 14 February 2018 11:03 CST

56kagency

Hi, i see a problem with CSRFShield.

Admin tool has these 3 options:

- Turns off this feature.
- Basic. Performs basic referer filtering. If the browser of the visitor reports that the previous page was not one belonging to your site, Admin Tools will block processing of the form.
- Advanced. On top of the basic protection, Admin Tools will automatically inject a hidden field on all forms.

I think is missing an option that let us to protect forms with a honeypot (hidden field) if referer is a different location other than site.

This is the case of all landing page and lead generation forms.

Users come from SERP or from ADS or from others sites, with basic filtering form can't be sent and a spammer that navigate some pages, can fill the form without any problem.

Instead is needed an hidden field without the referer filtering.

Thanks a lot.

Simone

Wednesday, 14 February 2018 20:26 CST

nicholas

The HTTP Referer header can be spoofed. Therefore that option would be as good as "None" for all intents and purposes.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 15 February 2018 03:02 CST

56kagency

Probably I did not write well.
Since the referer can be falsified (and therefore it is not interesting to filter it) an option would be needed with only the generation of the hidden field. So every spammer who compiles the honeypot is blocked.

But in this case, users who come from different domains or odd pages are not blocked in any way.

I'll give you a precise example:
I do a search on Google,
I click on the result,
I access that page,
I do not surf on any other page,
I see a form in a popup and I fill it out.

The form is not sent because Admin Tools, seeing a different referer compared to the domain, believes I am a spammer.
Even if I did not fill in the hidden field. I call it "false positive".

This causes many conversions to be lost to a lead generation site, so a lot of money lost for our customers.

Instead, if there were only the hidden fields, the user would send the form correctly.

Spammers, on the other hand, tend to easily compile hidden fields, so they can be blocked even without checking their referer.

But if is not possibile to do or i'm missing something, is not a problem, there are many scripts that only add a honeypot to the form without checking referer. I have simply to turn off the CSRFShield.

Mine is only an enhancement request to give a more precise features, functional to many current websites.

Thanks a lot
Simone

Thursday, 15 February 2018 04:25 CST

nicholas

The form is not sent because Admin Tools, seeing a different referer compared to the domain, believes I am a spammer.

IMPORTANT!!!!!!!! YOU ARE MAKING FALSE ASSUMPTIONS BECAUSE YOU HAVE NOT READ THE DOCUMENTATION.

ADMIN TOOLS NEVER CHECKS THE REFERER HEADER BECAUSE THIS HEADER CAN BE SPOOFED. I already told you that.

Even if I did not fill in the hidden field. I call it "false positive".

No. It's not what happened and it's NOT a false positive. You have no idea what CSRF is and how CSRFShield protects you EVEN THOUGH I have explained that in the documentation.

Submitting a form MUST ALWAYS CONTAIN THE ANTI-CSRF TOKEN. This is non-negotiable. If you allow forms on your site to be submitted WITHOUT the anti-CSRF token you allow cross site request forgery to take place on your site.

So how do you prevent these CSRF attacks? By injecting the anti-CSRF token in all of the forms and checking for its presence in POST requests, i.e. the Basic mode of CSRFShield. This protects you because the anti-CSRF token is stored in your session and changes on every page load.

So why do you need the advanced mode? Because a more advanced adversary's bot could first do a GET to read the CSRF token and then POST the form - having the same cURL cookie jar in both requests. These bots try to fuzz the contents of all of the fields in a form which is why we have the honeypot field. Once you access it you are telling us that you're a bot which tries to fuzz forms for detecting vulnerable code.

What you call "false positive" is a positive, all right, BUT NOT FALSE. It's a 100% true positive. This is what you asked Admin Tools to do and that's exactly what it does: no CSRF token is present, therefore something is wrong.

It's quite obvious that you want people to be able to fill a form hosted on a random site and submit it on your site without a problem. The only way to do it is setting CSRFShield to None and also be aware that what you are doing is incredibly dangerous from a security perspective. You should NEVER, EVER let forms hosted on random domains post to your site. All of your forms MUST be generated from server side code on your server, include an anti-CSRF token and submitted to server side code which checks the validity of that token.

I reject your feature request because it would give a false sense of security while doing nothing at all. I would much rather be honest and call it the "None" option instead.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support

#29213 CSRFShield lacks an option: hidden field without referer filtering

This is a public ticket

Environment Information

Wednesday, 14 February 2018 11:03 CST

Wednesday, 14 February 2018 20:26 CST

Thursday, 15 February 2018 03:02 CST

Thursday, 15 February 2018 04:25 CST

Please wait

Support Information