0

I have a question about csrf Cross-site Request Forgery Attacks in flask.

I found a good youtube video. Basically, in the video:

  • someone updated someone's email when logged in through a login path/function that updates the email when logged in.
  • then someone updates the email when the csrf token isn't there and ends up inserting data from using an HTML file.

In the video, they only show it is needed for logged-in routes.

Do I need it when I am not logged in? Also, do I need csrf protection for a get request? I assume not because nothing is being submitted.

Also, can I have an empty WTForms, and will the code below work?

Example of emptyforms:

forms.py

class EmptyForm(FlaskForm):
    pass

routes.py

@app.route('/random_route')
def some_route_function()
    if request.method == 'GET' :     
       form = EmptyForm()
       return render_template ( 'random_route.html', form=form )

random_route.html

 <form validate="" id="random_route" method="GET"> 
     <!-- Make the secret key work -->
     {{form.csrf_token}}
     <h1>Random message this is the only thing the form does. </h1>
</form>  
I also have a layout.hmtl which contains the html.
Christian
  • 4,902
  • 4
  • 24
  • 42
kihnihih
  • 7
  • 5

1 Answers1

1

Cross site requests work like this: An attacker sends a malicious link to a user which then does stuff the user did not intend to do. An example:

Let's say you have a URL in your flask app that allows the user to update their email. The URL is https://mygreatapp.com/updatemail?email=mail@example.com.

Now I (the attacker) trick your user into clicking the following link: https://mygreatapp.com/updatemail?email=attacker@attacker.com. Since you are logged into your app, this will work and reset your email to the attackers email, who can then request a password reset.

If you were using CSRF protection, the form/link requires an additional csrf token which is generated freshly each time the form is generated for a user.

So if your user wants to change their email, they request the emailChangeForm from you, and you send it to them with a randomly generated csrf token 'abcdefg'. Now when the user sends back the form, it has to contain not only the updated email address, but also the exact csrf token that you sent with it. If it doesn't, you know it wasn't the user who filled out that form.

Gasp0de
  • 1,199
  • 2
  • 12
  • 30
  • Followup questions. Do I need csrf protection for a GET request or when I am not logged in? How do hackers manage to insert the malicious link? In the video they just load the html into the code into the browser. I forgot to 'or' I put 'and' . instead. I will just delete the comment above. – kihnihih Sep 20 '22 at 19:31
  • By insert I mean how do they guess the site you are on. – kihnihih Sep 20 '22 at 22:53
  • They can just host a form on their own website which is still programmed to send data to your site instead of theirs. This has to be a targeted attack for your site, so for a small hobby project it's unlikely you will ever be targeted by this but you should always practice best practices so that you won't make the mistake if you ever create a production website. For a GET request you don't need csrf protection, however if the information returned is private you may want to check authentication (e.g. login required). – Gasp0de Sep 21 '22 at 06:57
  • For forms that can be used without login, you also do not need csrf, since if someone wants to send you malicious data they (the attacker) can just go to your website and fill out the form themselves. You might want to use other forms of protection against malicious actors, such as a captcha to prevent bots from spamming your form. – Gasp0de Sep 21 '22 at 06:59
  • I also just wanted to add for anyone curious you can use the example of ```EmptyForm``` and the code will work. – kihnihih Sep 21 '22 at 21:39