[OWASP-Delhi] OWASP-Delhi Digest, Vol 84, Issue 2

Minhaz A V minhazav at gmail.com
Sun Jul 5 11:02:28 UTC 2015


Hi,

Keeping a anti CSRF token is not only used, such that we can validate them
against token sent with request payload. One of the benefit of keeping
token in cookie is we can dynamically attach the token with every request
that is sent from the client using javascript. And the same origin policy
of the cookie will ensure "evil" websites cannot access this cookie. Now
benefit of this method is, you don't need to add a CSRF token in each of
your forms or ajax requests, you can write a wrapper in JS,  that does this
for every FORM elements and ajax requests.

This is the same design pattern used in CSRF Protector project,
https://www.owasp.org/index.php/CSRFProtector_Project

----------------------------------------------------------------------------
Kind Regards,
Minhaz | My Projects <http://cistoner.org/projects> | M
<http://cistoner.org/minhaz/>y blog <http://blog.minhazav.me/>

On Sun, Jul 5, 2015 at 2:54 PM, Amit Saini <call4amit at gmail.com> wrote:

> Hi,
>
> I dont think that keeping TokenID in both(cookie and in HTML page) will be
> a good option for CSRF.
> As far the HTML has a valid TokenID, we can handle the CSRF.
>
> Please correct me if get it wrong.
>
> Regards
> Amit Saini
>
>
>
>
>
>
>
> On Sat, Jul 4, 2015 at 11:40 PM, <owasp-delhi-request at lists.owasp.org>
> wrote:
>
>> Send OWASP-Delhi mailing list submissions to
>>         owasp-delhi at lists.owasp.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> or, via email, send a message with subject or body 'help' to
>>         owasp-delhi-request at lists.owasp.org
>>
>> You can reach the person managing the list at
>>         owasp-delhi-owner at lists.owasp.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of OWASP-Delhi digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: Anti-CSRF token in cookie and post form (Minhaz A V)
>>    2. Re: How to implement ASLR & DEP in C# thick       client
>>       applications? (Praveen Darshanam)
>>    3. Re: Anti-CSRF token in cookie and post form (go4kam at gmail.com)
>>    4. Re: Anti-CSRF token in cookie and post form (Minhaz A V)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Sat, 4 Jul 2015 17:47:27 +0530
>> From: Minhaz A V <minhazav at gmail.com>
>> To: Vaibhav Gupta <vaibhav12jan at gmail.com>
>> Cc: owasp-delhi at lists.owasp.org
>> Subject: Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form
>> Message-ID:
>>         <CADCpCkhdMV+NmYh35=LP26MbPbboN=
>> GR3Feyp3hz1sK9DrVrvg at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Not one I can think of as the whole point of using a random nonce here is
>> based on same origin policy of the cookie.
>>
>> Also there is possiblity the validation on server side could be between
>> post variable and server side cookie rather than one sent by client. This
>> would make tampering request useless.
>> On 4 Jul 2015 17:29, "Vaibhav Gupta" <vaibhav12jan at gmail.com> wrote:
>>
>> > Hello all,
>> >
>> > I recently encountered an application which was having its random
>> > anti-csrf token in cookie and the same random token was sent in the POST
>> > form. If I tamper the cookie and the post form anti-CSRF token with the
>> > same value, server will validate my request.
>> >
>> > Example:
>> >
>> > POST /account/delete
>> > HOST: XYZ
>> > Cookie: CSRF_Token=123456
>> >
>> > account_id=10101&CSRF_Token=123456
>> >
>> > Now the problem is that we can not manipulate cookie value with
>> Javascript
>> > and hence cannot fiddle with the anti-csrf token present in cookie. Is
>> > there a way to create a working exploit?
>> >
>> > Apologies if I am unable to clear the scenario.
>> >
>> > Thanks
>> > Vaibhav
>> >
>> > _______________________________________________
>> > OWASP-Delhi mailing list
>> > OWASP-Delhi at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> > Twitter: https://twitter.com/OWASPdelhi
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/8e2aab7c/attachment-0001.html
>> >
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Sat, 4 Jul 2015 14:24:28 +0000 (UTC)
>> From: Praveen Darshanam <praveen_recker at yahoo.com>
>> To: sanjay kumar <sanjay1519841 at gmail.com>,
>>         "owasp-delhi at lists.owasp.org" <owasp-delhi at lists.owasp.org>
>> Subject: Re: [OWASP-Delhi] How to implement ASLR & DEP in C# thick
>>         client  applications?
>> Message-ID:
>>         <941545636.2453820.1436019868663.JavaMail.yahoo at mail.yahoo.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi Sanjay,
>> These are compile/build time flags from Visual Studio or any SDK's used
>> to build Windows binaries.
>> Best Regards, ?
>> Praveen Darshanam
>>
>>
>>      On Saturday, July 4, 2015 2:55 PM, sanjay kumar <
>> sanjay1519841 at gmail.com> wrote:
>>
>>
>>  Hi,
>> Does anyone knows how to implement ASLR (Address Space Layout
>> Randomization), DEP (Data Execution Prevention) in thick client application
>> based on C#?
>> If it cannot be implement then what is the risk in applications which
>> developed in C#?
>> Regards,
>> Sanjay Kumar
>>
>>
>> _______________________________________________
>> OWASP-Delhi mailing list
>> OWASP-Delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> Twitter: https://twitter.com/OWASPdelhi
>>
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/733f49e4/attachment-0001.html
>> >
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Sat, 04 Jul 2015 20:22:04 +0530
>> From: go4kam at gmail.com
>> To: Minhaz A V <minhazav at gmail.com>, Vaibhav Gupta
>>         <vaibhav12jan at gmail.com>
>> Cc: owasp-delhi at lists.owasp.org
>> Subject: Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form
>> Message-ID: <20150704145204.6586515.84322.2077 at gmail.com>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/14ef480d/attachment-0001.html
>> >
>> -------------- next part --------------
>> _______________________________________________
>> OWASP-Delhi mailing list
>> OWASP-Delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> Twitter: https://twitter.com/OWASPdelhi
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Sat, 4 Jul 2015 23:32:49 +0530
>> From: Minhaz A V <minhazav at gmail.com>
>> To: go4kam at gmail.com
>> Cc: owasp-delhi at lists.owasp.org
>> Subject: Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form
>> Message-ID:
>>         <
>> CADCpCkj_R3ik4z4Q9nYyu94HiqmuWWmECYGFvwm8fBgno4dxDQ at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> :D I meant session variables... They can be referred to as server side
>> cookies I believe.
>> On 4 Jul 2015 20:22, <go4kam at gmail.com> wrote:
>>
>> > ?A little off the hook here. But I want to ask, "Is there something
>> really
>> > exists  like server-side cookies?"
>> >
>> > Sorry if that's a stupid question. I am not much into web app but
>> > conceptually I find it difficult to digest something call as server-side
>> > cookie.
>> >
>> > Cheers!
>> > Kamal
>> >
>> >
>> >   *From: *Minhaz A V
>> > *Sent: *Saturday 4 July 2015 8:15 PM
>> > *To: *Vaibhav Gupta
>> > *Cc: *owasp-delhi at lists.owasp.org
>> > *Subject: *Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form
>> >
>> > Not one I can think of as the whole point of using a random nonce here
>> is
>> > based on same origin policy of the cookie.
>> >
>> > Also there is possiblity the validation on server side could be between
>> > post variable and server side cookie rather than one sent by client.
>> This
>> > would make tampering request useless.
>> > On 4 Jul 2015 17:29, "Vaibhav Gupta" <vaibhav12jan at gmail.com> wrote:
>> >
>> >> Hello all,
>> >>
>> >> I recently encountered an application which was having its random
>> >> anti-csrf token in cookie and the same random token was sent in the
>> POST
>> >> form. If I tamper the cookie and the post form anti-CSRF token with the
>> >> same value, server will validate my request.
>> >>
>> >> Example:
>> >>
>> >> POST /account/delete
>> >> HOST: XYZ
>> >> Cookie: CSRF_Token=123456
>> >>
>> >> account_id=10101&CSRF_Token=123456
>> >>
>> >> Now the problem is that we can not manipulate cookie value with
>> >> Javascript and hence cannot fiddle with the anti-csrf token present in
>> >> cookie. Is there a way to create a working exploit?
>> >>
>> >> Apologies if I am unable to clear the scenario.
>> >>
>> >> Thanks
>> >> Vaibhav
>> >>
>> >> _______________________________________________
>> >> OWASP-Delhi mailing list
>> >> OWASP-Delhi at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> >> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> >> Twitter: https://twitter.com/OWASPdelhi
>> >>
>> >
>> >
>> > _______________________________________________
>> > OWASP-Delhi mailing list
>> > OWASP-Delhi at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> > LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> > Twitter: https://twitter.com/OWASPdelhi
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/7d94a8e7/attachment.html
>> >
>>
>> ------------------------------
>>
>> _______________________________________________
>> OWASP-Delhi mailing list
>> OWASP-Delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>>
>> End of OWASP-Delhi Digest, Vol 84, Issue 2
>> ******************************************
>>
>
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150705/c1029e67/attachment-0001.html>


More information about the OWASP-Delhi mailing list