[OWASP-GUIDE] White paper: Authentication and Session Management on the Web

Chris Shiflett chris at shiflett.org
Wed Feb 9 11:43:11 EST 2005


--- Paul Johnston <paul at westpoint.ltd.uk> wrote:
> You may be interested in this paper I've written:
> 
> http://www.westpoint.ltd.uk/advisories/Paul_Johnston_GSEC.pdf
> 
> The first ten pages or so are probably less interesting to readers
> of this list, but the latter part covers in detail all the attacks
> such as session fixation, CSRF, etc.
> 
> Any constructive discussion is welcomed!

I just skimmed through this, and it looks very good. Is this going to be
its permanent URL? I would like to provide a link to it in our library
(http://phpsec.org/library/).

I noticed that you reference an article of mine (thanks), and you might be
interested to know that it is now available online in plain HTML (so no
need to link to the PDF hosted by the magazine publisher):

http://shiflett.org/articles/foiling-cross-site-attacks

Another small point is that your reference to the session handling
functions in the PHP manual can be rewritten as follows:

http://www.php.net/manual/ref.session.php

This will choose the best mirror (uk.php.net in your case) and language
(en) for the client, which is better for documentation.

One point that you make in your discussion on CSRF is the use of Referer
to help protect against it. Although I've always advised against relying
on Referer for anything, I am thinking that it might actually be a useful
header in this case, because you can check for consistency. So, while
Referer might be blank or something like "Blocked by RefBlock 2000," it's
probably not going to change. If it does, you can treat the request with
some suspicion, requiring an extra confirmation step than you typically
do.

A safeguard that I didn't see you mention is the use of a unique token in
each form, passed as a hidden form element. Because a CSRF attack attempts
to forge a request from someone else (the victim), checking for this
unique token forces an attacker to capture the one associated with the
victim and the form being spoofed.

I hope you find this discussion helpful. Thanks for sharing your work.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly     HTTP Developer's Handbook - Sams
Coming Soon                 http://httphandbook.org/




More information about the Owasp-guide mailing list