Results 1 to 4 of 4

Thread: Cross-site request forgery attack mitigation

  1. #1
    Sencha User
    Join Date
    Jun 2009
    Posts
    54
    Vote Rating
    21
      0  

    Default Cross-site request forgery attack mitigation

    I was wondering if there is any easy way to instruct the Ext.Direct code to always send an extra parameter (nonce token) with all calls to the server?


    I'm a bit concerned about the potential Ext.direct provides for CSRF attacks.
    Especially when it comes to the @formhandler calls that post the information to the server as normal HTML form data.

  2. #2
    Sencha - Sr Software Engineer mitchellsimoens's Avatar
    Join Date
    Mar 2007
    Location
    Gainesville, FL
    Posts
    39,413
    Vote Rating
    1269
      0  

    Default

    Are you going to have this backend only be reachable from one site?
    Mitchell Simoens @LikelyMitch
    Sencha Inc, Senior Software Engineer
    ________________
    Learn BBCode and use it!

    Check out my GitHub, lots of nice things for Ext JS 4 and Sencha Touch 2
    https://github.com/mitchellsimoens

    Think my support is good? Get more personalized support via a support subscription. https://www.sencha.com/store/

    Need more help with your app? Hire Sencha Services services@sencha.com

    Want to learn Sencha Touch 2? Check out Sencha Touch in Action that is in print!

    When posting code, please use BBCode's CODE tags.

  3. #3
    Sencha User
    Join Date
    Jun 2009
    Posts
    54
    Vote Rating
    21
      0  

    Default

    Quote Originally Posted by mitchellsimoens View Post
    Are you going to have this backend only be reachable from one site?
    Correct.
    (but I cannot rely on Referer checking, if that is what you are aiming at.)

  4. #4
    Sencha User
    Join Date
    Nov 2011
    Posts
    2
    Vote Rating
    0
      0  

    Default

    It can be done by overriding the getCallData function of RemotingProvider:
    Code:
          Ext.direct.RemotingProvider.override({
             getCallData: function(transaction){
                return {
                      action: transaction.action,
                      method: transaction.method,
                      data: transaction.data,
                      type: 'rpc',
                      tid: transaction.id,
                      token: MyNS.MyToken
                };
             }
          });

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •