Security Basics mailing list archives
Re: Cookie Security
From: Orlin Gueorguiev <orlin () baturov com>
Date: Sat, 3 May 2008 02:24:38 +0200
На Wednesday 30 April 2008 17:24:19 Audrius написа:
2008/4/30 Orlin Gueorguiev <orlin () baturov com>:<img src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory"If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then Bob's browser's attempt to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval. ===== So... what I am asking myself how your consept can secure, that CSRF is not going to be exploited?You already have answered your question using your "if's". Token can't be in the cookies, because they are returned back on every request. But if token will be used for example in an URL, then your method will not work. But again, this technique will not work, if site will be vulnerable to XSS. Most of security methods against CSRF doesn't work, if site has XSS vulnerability. Then much better way is to use something like captcha. Just ask user to do something before doing important actions. But again, captcha can't be to complicated, because you will have another problem. Usability of the website. :) Better security always means less usability and to find the middle is quite hard.
Lets take the classical situation: We have 3 persons: Alice (the attacked person), Bob (the bank) and Eve (the hacker). So... Eve crafts a web page, that tries to exploit a CSRF vulnerability and steal money from anybody, who opens the page and has a non-expired cookie to Bob (the bank). So Alice opens the page and she logs with her own computer and credentials to the bank and send the money. Now... because SHE logs there, and not Eve, this means that anything saved on her computer can be used to log in there, so exchanging tokens would not work. Even if you use a token, that is beeing randomly generated, if the process of generation is simulated using CSRF, it would not really matter if you use such a token. So... this is why I was asking why you how/why does this token help prevent CSRF? Cheers, Orlin
Current thread:
- Re: Re: Re: Cookie Security ellukicq (May 01)
- <Possible follow-ups>
- Re: Re: Cookie Security Audrius (May 05)
- Re: Cookie Security Orlin Gueorguiev (May 05)
- RE: Cookie Security Marco M. Morana (May 06)
- Re: Cookie Security Orlin Gueorguiev (May 08)
- RE: Cookie Security Marco M. Morana (May 06)