We are using custom search on our forums where we are pulling in results from another server. This makes it vulnerable to CSRF attack. how can we go about implementing the CSRF protection in the lithiums custom components/ endpoints in the Javascript.
Also, how secure are the other forms in Lithium in regards to CSRF? Any vulnerabilities?
Some important questions that will determine what you need to do:
1. Is the content on the external service trusted (e.g. do you have control of it)?
2. What is the format of that content?
3. How are you displaying that content within Lithium?
As a general rule, any content from an unverified or untrusted source should be sanitised before being included in the content of a page. Note that this includes anything that could be changed by the user, such as HTTP GET/POST parameters passed to the page.
The OWASP website is a really good source for information about web security, and has advice on how avoid vulnerabilities such as Cross Site Scripting (XSS).
FreeMarker has some directives for sanitising strings for display, such as ?html - http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_html
Based on what you've said, I can't see you needing to do anything special to avoid XSS. There's nothing inherently insecure about making cross-site requests, and you control both the content and the mechanism for displaying it on the page.
I'd recommend getting someone knowledgeable to review the code if you have any concerns about it.
Theoretically even when controlling the source of the data and the logic to display it, one could still think about man in the middle attacks on the data in transit, especially if unencrypted.
Of course it all depends on what the security requirements are, if you have hard security requirements then as nathan suggested a code review or even a pentest may be the best way to proceed.
