We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Generate a CSRF token for FormIt forms

    • 6506
    • 35 Posts
    DannyFranks Reply #1, 6 years, 2 months ago
    I have a client who is extra security conscious and has asked that contact forms be removed until they are secure. One way to satisfy them would be to add a CSRF token but everything I have seen doesn't quite explain it properly and is in Russian.

    You can see those posts here

    https://modzone.ru/blog/2018/01/07/csrf-token-formit-hook/&prev=search" target="_blank" rel="nofollow">https://translate.google.co.uk/translate?hl=en&sl=ru&u=https://modzone.ru/blog/2018/01/07/csrf-token-formit-hook/&prev=search

    https://modzone.ru/blog/2017/11/19/security-functions/&usg=ALkJrhj6NWhfXxRamGwhI4rPJ9j-3jCDKQ" target="_blank" rel="nofollow">https://translate.googleusercontent.com/translate_c?depth=1&hl=en&prev=search&rurl=translate.google.co.uk&sl=ru&sp=nmt4&u=https://modzone.ru/blog/2017/11/19/security-functions/&usg=ALkJrhj6NWhfXxRamGwhI4rPJ9j-3jCDKQ

    They talk about this CRF helper function csrf_field() but I am at a loss how to apply this to FormIt and then get the hidden input filed to generate the token and use the hook described.

    Does anyone have any idea how I can add a CSRF token or help explain the above posts in more detail? Thanks
      • 3749
      • 24,544 Posts
      BobRay Reply #2, 6 years, 2 months ago
      Would it satisfy the client if the whole site was https:// ? That would remove any browser warnings. LetsEncrypt is fairly easy to implement (if your host supports it), and it's free.

      FWIW, MODX itself is pretty good about protecting from CSRF attacks in the code that handles all requests.


        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 6506
        • 35 Posts
        DannyFranks Reply #3, 6 years, 2 months ago
        Hi Bob, thanks for the reply. The site is already https://. You think that would be enough. I have also set headers in Apache of:

        • Strict-Transport-Security
          X-Frame-Options
          X-Content-Type-Options
          X-XSS-Protection
        But because a security scan throws up that the forms are open to a CSRF attack as no token is set they will not allow the forms to be published and are asking for it to be fixed. If this was an e-commerce site I'd understand but it is a brochure site that captures basic information and using FormIt encrypt it is encrypted in the database. As you can imagine this is very frustrating but if I could add a CSRF token in FormIt I am sure this will appease them.

        On MODX handling CSRF attacks is there any good information of the security of MODX, I know that is self-defeating perhaps as it tells hackers what protection is enabled but it would be good to go back to the client and say XYZ is enabled security wise in MODX.
          • 3749
          • 24,544 Posts
          BobRay Reply #4, 6 years, 2 months ago
          There's a little advice here:

          https://stackoverflow.com/questions/40762078/prevent-csrf-attack-in-modx-formit

          I couldn't find anything on MODX's defenses against CSRF attacks, but the most recent vulnerability report I could find was from 2014 -- fixed long ago.

          There's some good info on token generation here, though I think much of it is overkill for your situation.

          I'd do something like this (untested):

          Put a hidden input tag in the form.

          <input name="CSRF_token" type="hidden" value="[[+CSRF_token]]" />


          Then in the preHook:

          <?php
if (empty($_SESSION['token'])) {
    if (function_exists('mcrypt_create_iv')) {
        $_SESSION['token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
    } else {
        $_SESSION['token'] = bin2hex(openssl_random_pseudo_bytes(32));
    }
}

if (isset($_POST['yourSubmitVar'] && (string) $_POST['yourSubmitVar'] === 'yourSubmitVarValue' ) {
    /* Repost */
    $verified = (string) $modx->getOption('CSRF_token', $_POST, null, true) === (string) $_SESSION['token'];
    if (! $verified) {
       /* (optionally) log it somewhere */
       $modx->sendUnauthorizePage();
    )
} else { 
    /* Not a repost */
    $modx->setPlaceholder('CSRF_token', $_SESSION['token']);
}

return;


          If you don't mind, let me know what you finally use and I'll do a blog post on it.
            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting
            • 42766
            • 47 Posts
            jcdm Reply #5, 5 years, 7 months ago
            I also have a client asking for this now. DannyFranks - do you remember what you ended up doing?