CSRF or Cross-Site Request Forgery is basically a bad person tricking a good person's browser into performing functions on your website on the bad persons behalf.
Here is an example:
- Good user logs into your website and
obtains a valid session
- Bad user tricks good user into
following a link to a malicious site
- Malicious
site contains a form with falsified data which posts to your
website
(however since it's sent from client
side, your site thinks it originated
from the good user)
- Your site then
see's the good user submitted a form
and processes the action.
Let's put it into context:
- Good user is an administrator on
your website.
From the admin panel, good user can
add a user by filling out a form
that looks like this:
<form action="/new_user.php" name="myform" method="POST">
<input type="text" name="new_username">
<input type="password" name="new_password">
<input type="Submit">
</form>
Good user follows a link to a
malicious site, which contains the
following javascript:
<form action="http://www.yoursite.com/new_user.php" name="myform" method="POST">
<input type="hidden" name="new_username" value="MaliciousHax0r">
<input type="hidden" name="new_password" value="MaliciousPass">
</form>
<script type="text/javascript">
document.myform.submit();
</script>
Your application now receives the
request which was submitted by Good
user, on Bad user's behalf. Since it
originated from Good user, who
happens to be logged into your
website, all is well and your
website processes the request.
Now keep in mind this is a simple
example, and the Good user would see
the submit happen which SHOULD raise
a red flag, however using slightly
more complex methods, such as
XMLHttpRequest() in javascript would
be silent/unknown to the Good user.
Bad user has now obtained an account
on your system.
How to eliminate CSRF:
- The trick is to add a token to each
form that has a random value which
is generated for each request.
- When the form is submitted, your
application checks to make sure the
token is passed, and matches the
random one which was generated when
the form was loaded.
The malicious site wouldn't have
access to this token, therefore it
wouldn't be able to provide that
required peice, and a form submission
would not be processed.
How to make other tools work without disabling CSRF protection in CakePHP:
I don't know. Check documentation for the CSRF protection, for CakePHP, and for the other addons.
Question whether or not using those addons is worth the loss in CSRF protection, and consider alternate solutions.
CSRF Resource:
https://www.fortify.com/vulncat/en/vulncat/javascript/csrf.html