[OWASP-Delhi] OWASP-Delhi Digest, Vol 84, Issue 2

Amit Saini call4amit at gmail.com
Sun Jul 5 09:24:12 UTC 2015


Hi,

I dont think that keeping TokenID in both(cookie and in HTML page) will be
a good option for CSRF.
As far the HTML has a valid TokenID, we can handle the CSRF.

Please correct me if get it wrong.

Regards
Amit Saini







On Sat, Jul 4, 2015 at 11:40 PM, <owasp-delhi-request at lists.owasp.org>
wrote:

> Send OWASP-Delhi mailing list submissions to
>         owasp-delhi at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.owasp.org/mailman/listinfo/owasp-delhi
> or, via email, send a message with subject or body 'help' to
>         owasp-delhi-request at lists.owasp.org
>
> You can reach the person managing the list at
>         owasp-delhi-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OWASP-Delhi digest..."
>
>
> Today's Topics:
>
>    1. Re: Anti-CSRF token in cookie and post form (Minhaz A V)
>    2. Re: How to implement ASLR & DEP in C# thick       client
>       applications? (Praveen Darshanam)
>    3. Re: Anti-CSRF token in cookie and post form (go4kam at gmail.com)
>    4. Re: Anti-CSRF token in cookie and post form (Minhaz A V)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 4 Jul 2015 17:47:27 +0530
> From: Minhaz A V <minhazav at gmail.com>
> To: Vaibhav Gupta <vaibhav12jan at gmail.com>
> Cc: owasp-delhi at lists.owasp.org
> Subject: Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form
> Message-ID:
>         <CADCpCkhdMV+NmYh35=LP26MbPbboN=
> GR3Feyp3hz1sK9DrVrvg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Not one I can think of as the whole point of using a random nonce here is
> based on same origin policy of the cookie.
>
> Also there is possiblity the validation on server side could be between
> post variable and server side cookie rather than one sent by client. This
> would make tampering request useless.
> On 4 Jul 2015 17:29, "Vaibhav Gupta" <vaibhav12jan at gmail.com> wrote:
>
> > Hello all,
> >
> > I recently encountered an application which was having its random
> > anti-csrf token in cookie and the same random token was sent in the POST
> > form. If I tamper the cookie and the post form anti-CSRF token with the
> > same value, server will validate my request.
> >
> > Example:
> >
> > POST /account/delete
> > HOST: XYZ
> > Cookie: CSRF_Token=123456
> >
> > account_id=10101&CSRF_Token=123456
> >
> > Now the problem is that we can not manipulate cookie value with
> Javascript
> > and hence cannot fiddle with the anti-csrf token present in cookie. Is
> > there a way to create a working exploit?
> >
> > Apologies if I am unable to clear the scenario.
> >
> > Thanks
> > Vaibhav
> >
> > _______________________________________________
> > OWASP-Delhi mailing list
> > OWASP-Delhi at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> > Twitter: https://twitter.com/OWASPdelhi
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/8e2aab7c/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Sat, 4 Jul 2015 14:24:28 +0000 (UTC)
> From: Praveen Darshanam <praveen_recker at yahoo.com>
> To: sanjay kumar <sanjay1519841 at gmail.com>,
>         "owasp-delhi at lists.owasp.org" <owasp-delhi at lists.owasp.org>
> Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
>         client  applications?
> Message-ID:
>         <941545636.2453820.1436019868663.JavaMail.yahoo at mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Sanjay,
> These are compile/build time flags from Visual Studio or any SDK's used to
> build Windows binaries.
> Best Regards, ?
> Praveen Darshanam
>
>
>      On Saturday, July 4, 2015 2:55 PM, sanjay kumar <
> sanjay1519841 at gmail.com> wrote:
>
>
>  Hi,
> Does anyone knows how to implement ASLR (Address Space Layout
> Randomization), DEP (Data Execution Prevention) in thick client application
> based on C#?
> If it cannot be implement then what is the risk in applications which
> developed in C#?
> Regards,
> Sanjay Kumar
>
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/733f49e4/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 3
> Date: Sat, 04 Jul 2015 20:22:04 +0530
> From: go4kam at gmail.com
> To: Minhaz A V <minhazav at gmail.com>, Vaibhav Gupta
>         <vaibhav12jan at gmail.com>
> Cc: owasp-delhi at lists.owasp.org
> Subject: Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form
> Message-ID: <20150704145204.6586515.84322.2077 at gmail.com>
> Content-Type: text/plain; charset="us-ascii"
>
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/14ef480d/attachment-0001.html
> >
> -------------- next part --------------
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi
>
> ------------------------------
>
> Message: 4
> Date: Sat, 4 Jul 2015 23:32:49 +0530
> From: Minhaz A V <minhazav at gmail.com>
> To: go4kam at gmail.com
> Cc: owasp-delhi at lists.owasp.org
> Subject: Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form
> Message-ID:
>         <
> CADCpCkj_R3ik4z4Q9nYyu94HiqmuWWmECYGFvwm8fBgno4dxDQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> :D I meant session variables... They can be referred to as server side
> cookies I believe.
> On 4 Jul 2015 20:22, <go4kam at gmail.com> wrote:
>
> > ?A little off the hook here. But I want to ask, "Is there something
> really
> > exists  like server-side cookies?"
> >
> > Sorry if that's a stupid question. I am not much into web app but
> > conceptually I find it difficult to digest something call as server-side
> > cookie.
> >
> > Cheers!
> > Kamal
> >
> >
> >   *From: *Minhaz A V
> > *Sent: *Saturday 4 July 2015 8:15 PM
> > *To: *Vaibhav Gupta
> > *Cc: *owasp-delhi at lists.owasp.org
> > *Subject: *Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form
> >
> > Not one I can think of as the whole point of using a random nonce here is
> > based on same origin policy of the cookie.
> >
> > Also there is possiblity the validation on server side could be between
> > post variable and server side cookie rather than one sent by client. This
> > would make tampering request useless.
> > On 4 Jul 2015 17:29, "Vaibhav Gupta" <vaibhav12jan at gmail.com> wrote:
> >
> >> Hello all,
> >>
> >> I recently encountered an application which was having its random
> >> anti-csrf token in cookie and the same random token was sent in the POST
> >> form. If I tamper the cookie and the post form anti-CSRF token with the
> >> same value, server will validate my request.
> >>
> >> Example:
> >>
> >> POST /account/delete
> >> HOST: XYZ
> >> Cookie: CSRF_Token=123456
> >>
> >> account_id=10101&CSRF_Token=123456
> >>
> >> Now the problem is that we can not manipulate cookie value with
> >> Javascript and hence cannot fiddle with the anti-csrf token present in
> >> cookie. Is there a way to create a working exploit?
> >>
> >> Apologies if I am unable to clear the scenario.
> >>
> >> Thanks
> >> Vaibhav
> >>
> >> _______________________________________________
> >> OWASP-Delhi mailing list
> >> OWASP-Delhi at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> >> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> >> Twitter: https://twitter.com/OWASPdelhi
> >>
> >
> >
> > _______________________________________________
> > OWASP-Delhi mailing list
> > OWASP-Delhi at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> > Twitter: https://twitter.com/OWASPdelhi
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/7d94a8e7/attachment.html
> >
>
> ------------------------------
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
> End of OWASP-Delhi Digest, Vol 84, Issue 2
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150705/da3ece1a/attachment-0001.html>


More information about the OWASP-Delhi mailing list