Significance of Confirmation Page in Drupal

Whenever we try deleting any content Drupal displays a confirmation page. Through this Confirmation page Drupal handles CSRF.

What is Cross-Site Request Forgery(CSRF or XSRF)?

CSRF is an attack which enforces an end user (authenticated user) to perform some operation without his intend. 

Drupal scenario of CSRF attack

  • Most of the Drupal site do have a feedback form implemented through Webform. As a default behavious Webform sends the feedback form submissions to an email as well.
  • Attacker can trick this message by adding some link with href parameter as [http://www.examplesite.com/node/3/delete?destination=admin/content].
  • Now authenticated user might click on the link in the message without the knowledge of operational sensitivity of href [http://www.examplesite.com/node/3/delete?destination=admin/content].
  • By the time user realizes the attack - link is already clicked and it is too late to revert the action as the [node/4] is already deleted and [admin/content] page is displayed.

Drupal's way of preventing CSRF

  • Drupal associates a secret TOKEN value with every actions.
  • We can find [form_token] as a hidden field in forms in Drupal.
  • Whenever any action (such as deleting the node/s) is sent to the browser, drupal site will also send the associated TOKEN value to the browser. 
  • Importance of this TOKEN - this is known only to user and the site. Its very hard for attackers to trick suck TOKENS.
  • Whenever browser sends any request to the site - Drupal validates the TOKEN against action and then only required action will be performed.
  • If this 'Action + Token' validation fails then action is declined.