[Webappsec] [WEB SECURITY] Preventing Cross-site Request Forgeries
Arian J. Evans
arian.evans at anachronic.com
Sun Apr 1 00:07:09 EDT 2007
Comments Inline:
> -----Original Message-----
> From: pdp (architect) [mailto:pdp.gnucitizen at googlemail.com]
> Sent: Saturday, March 31, 2007 12:50 AM
> To: Arian J. Evans
>
> One time tokens are good idea
Yes, depending on the situation
> but tell me... how easy it is to implement them.
Pretty easy. Mark, Dan? We implemented them in a WAF pretty easily.
> You said yourself that just simply generating the
> token is not enough and the developer needs to involve other things
> such as tracking the user across the entire site, validating forms,
No, that's not what I said at all. I said threshold and profile
to see what (if anything) you need to do. Whether a token was
one-use, ten-use, relative path use, etc was one simple bit
we set. Pretty simple.
> etc. I've seen frameworks that does it an the implementation is
> ridiculously complicated.
Like?
> Adding more complications to your applications increase the chances of
> being hacked. I remember when the Universal PDF XSS issues come out
> and everybody started figuring out ridiculously complicated ways for
> closing the bug on with a server side solution. Well, guess what...
I'm not following your anecdote here.
[...]
> Although, I haven't done it... I know for sure that the
> entire idea can be achieved
So you are agreeing with me?
> This solution may not work on all applications, but I believe that it
> will work quite well on the majority of them.
As I stated quite clearly: it depends on what you need to do
and how the application works. A lot of the current targets
for CSRF a weak to this attack due to the use of GETs and Frames.
Arian J. Evans
Solipsistic Software Security Sophist
"I spend on my money on motorcycles, martinis, and mistresses. The rest of
it I shamelessly squander."
More information about the Webappsec
mailing list