[OWASP-GUIDE] White paper: Authentication and Session Management on the Web

Andrew van der Stock vanderaj at greebo.net
Thu Feb 10 03:31:10 EST 2005


Chris,

> One point that you make in your discussion on CSRF is the use of Referer
> to help protect against it. Although I've always advised against relying
> on Referer for anything, I am thinking that it might actually be a useful
> header in this case, because you can check for consistency. So, while
> Referer might be blank or something like "Blocked by RefBlock 2000," it's
> probably not going to change. If it does, you can treat the request with
> some suspicion, requiring an extra confirmation step than you typically
> do.

[Andrew van der Stock] 
To me, the referrer is a defense-in-depth control. The new version of the
Guide recommends against relying upon it, but it can be a useful control for
the 99+% of casual attackers who just try out your app using a browser
alone.

Granted it will never stop any of us (or any tooled-up or Perl capable
attacker), but for the low entry cost, referrer checks are worthwhile along
with other controls, if only for the delay factor.
 
> A safeguard that I didn't see you mention is the use of a unique token in
> each form, passed as a hidden form element. Because a CSRF attack attempts
> to forge a request from someone else (the victim), checking for this
> unique token forces an attacker to capture the one associated with the
> victim and the form being spoofed.

[Andrew van der Stock] 

For .NET applications, could a token hidden in the MAC obfuscated ViewState
be considered adequate? 

I'm not a huge fan of secondary tokens as they go against the simplicity
argument. In general my clients are rarely capable of writing
cryptographically robust session management schemes, for which secondary
tokens fall into. 

Also, Paul has gratefully allowed me to summarize his paper's techniques
into the Guide. Look for that this weekend when I release 2.0 a4. Also, I've
received Frank Lemmon's corrections, and I've added much more besides. It's
starting to look more like it's finished. :)

Thanks,
Andrew





More information about the Owasp-guide mailing list