Security Basics mailing list archives

Re: Cookie Security

From: Orlin Gueorguiev <orlin () baturov com>
Date: Sat, 3 May 2008 02:24:38 +0200

На Wednesday 30 April 2008 17:24:19 Audrius написа:

2008/4/30 Orlin Gueorguiev <orlin () baturov com>:

 <img

src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory";


 If Bob's bank keeps his authentication information in a cookie, and if
the cookie hasn't expired, then Bob's browser's attempt to load the image
will submit the withdrawal form with his cookie, thus authorizing a
transaction without Bob's approval.
 =====
 So... what I am asking myself how your consept can secure, that CSRF is
not going to be exploited?


You already have answered your question using your "if's". Token can't
be in the cookies, because they are returned back on every request.
But if token will be used for example in an URL, then your method will
not work. But again, this technique will not work, if site will be
vulnerable to XSS. Most of security methods against CSRF doesn't work,
if site has XSS vulnerability. Then much better way is to use
something like captcha. Just ask user to do something before doing
important actions. But again, captcha can't be to complicated, because
you will have another problem. Usability of the website. :) Better
security always means less usability and to find the middle is quite
hard.


Lets take the classical situation: We have 3 persons: Alice (the attacked 
person), Bob (the bank) and Eve (the hacker).
So... Eve crafts a web page, that tries to exploit a CSRF vulnerability and 
steal money from anybody, who opens the page and has a non-expired cookie to 
Bob (the bank). So Alice opens the page and she logs with her own computer 
and credentials to the bank and send the money. Now... because SHE logs 
there, and not Eve, this means that anything saved on her computer can be 
used to log in there, so exchanging tokens would not work.
Even if you use a token, that is beeing randomly generated, if the process of 
generation is simulated using CSRF, it would not really matter if you use 
such a token. So... this is why I was asking why you how/why does this token 
help prevent CSRF?

Cheers,
Orlin

Current thread:

Re: Re: Re: Cookie Security ellukicq (May 01)
- <Possible follow-ups>
- Re: Re: Cookie Security Audrius (May 05)
- Re: Cookie Security Orlin Gueorguiev (May 05)
  - RE: Cookie Security Marco M. Morana (May 06)
    - Re: Cookie Security Orlin Gueorguiev (May 08)