Whenever we try deleting any content Drupal displays a confirmation page. Through this Confirmation page Drupal handles CSRF.
What is Cross-Site Request Forgery(CSRF or XSRF)?
CSRF is an attack which enforces an end user (authenticated user) to perform some operation without his intend.
Drupal scenario of CSRF attack
- Most of the Drupal site do have a feedback form implemented through Webform. As a default behavious Webform sends the feedback form submissions to an email as well.
- Attacker can trick this message by adding some link with href parameter as [http://www.examplesite.com/node/3/delete?destination=admin/content].
- Now authenticated user might click on the link in the message without the knowledge of operational sensitivity of href [http://www.examplesite.com/node/3/delete?destination=admin/content].
- By the time user realizes the attack - link is already clicked and it is too late to revert the action as the [node/4] is already deleted and [admin/content] page is displayed.
Drupal's way of preventing CSRF
- Drupal associates a secret TOKEN value with every actions.
- We can find [form_token] as a hidden field in forms in Drupal.
- Whenever any action (such as deleting the node/s) is sent to the browser, drupal site will also send the associated TOKEN value to the browser.
- Importance of this TOKEN - this is known only to user and the site. Its very hard for attackers to trick suck TOKENS.
- Whenever browser sends any request to the site - Drupal validates the TOKEN against action and then only required action will be performed.
- If this 'Action + Token' validation fails then action is declined.