[Owasp-leaders] CSRF Password Change Function

Minhaz A V minhazav at gmail.com
Fri Mar 17 09:26:21 UTC 2017


@Steven: that can be done to login page as well. We need other mitigation
for that.
We'd need to throttle attempts to reset password per unit time, making
brute force not very feasible.

----------------------------------------------------------------------------
Kind Regards,
Minhaz
minhazav.xyz | Blog <http://blog.minhazav.xyz> | Projects
<http://github.com/mebjas> | LinkedIn <https://in.linkedin.com/in/minhazav>

On Fri, Mar 17, 2017 at 2:53 PM, Steven van der Baan <
steven.van.der.baan at owasp.org> wrote:

> Hi all,
>
> I disagree that you can use the current password as anti CSRF token.
> And here is why
> I see the anti CSRF token as assurance that it's really the user
> interacting with the application and not some script. An attacker can
> easily  go through the whole rockyou dictionary and uses all entries as
> current password to reset it to a known value. There will always be
> users that fall victim to this as they use insecure passwords.
>
> Just my £0.02
>
> Steven.
>
> On 17/03/17 07:49, Minhaz A V wrote:
> > Yes, current password can be used as anti CSRF Token, actually if there
> > old password is needed for changing password there is no need for anti
> > CSRF logic there, as it's much like login and cookies doesn't play much
> > role except for username. However if you were to use anti CSRF method
> > everywhere (let's say on POST request) you'd go for homogeneous method.
> >
> > ------------------------------------------------------------
> ----------------
> > Kind Regards,
> > Minhaz
> > minhazav.xyz <http://minhazav.xyz> | Blog <http://blog.minhazav.xyz>
> > |Projects <http://github.com/mebjas> | LinkedIn
> > <https://in.linkedin.com/in/minhazav>
> >
> > On Fri, Mar 17, 2017 at 7:15 AM, Ralph Durkee <rd at rd1.net
> > <mailto:rd at rd1.net>> wrote:
> >
> >     I agree that requiring the current password is sufficient for
> >     anti-CSRF. If the attacker could provide the current password, then
> >     there would be no need for the attack.  Was there logic provided as
> >     to why the current password would not be sufficient?
> >
> >     -- Ralph Durkee, CISSP, GXPN, GPEN, GCIH, GSEC, GSNA, GCIA, C|EH
> >     Principal Security Consultant
> >
> >
> >     On 03/16/2017 09:24 PM, Carlos Sagrero wrote:
> >>     Hello, a few hours ago I had a discussion with several of my
> >>     co-workers (all of them are Application Security consultant) about
> >>     whether in a password change function is valid to consider the
> >>     current password as a anti-CSRF control.
> >>
> >>     There is an interesting point that was the main discussion point,
> >>     at the end the current password is not a control to avoid CSRF.
> >>
> >>     What do you think about it? It is required to have a specific
> >>     control to CSRF?
> >>
> >>     Best regards.
> >>
> >>     --
> >>
> >>     *Carlos Isaac Sagrero Campos*
> >>
> >>     *OWASP Mexico City*
> >>
> >>     Inline image 1
> >>
> >>
> >>     <https://www.avast.com/sig-email?utm_medium=email&utm_sourc
> e=link&utm_campaign=sig-email&utm_content=webmail>
> >>      Libre de virus. www.avast.com
> >>     <https://www.avast.com/sig-email?utm_medium=email&utm_sourc
> e=link&utm_campaign=sig-email&utm_content=webmail>
> >>
> >>
> >>
> >>
> >>     _______________________________________________
> >>     OWASP-Leaders mailing list
> >>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org
> >
> >>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> >
> >
> >     _______________________________________________
> >     OWASP-Leaders mailing list
> >     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> >
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170317/44def403/attachment.html>


More information about the OWASP-Leaders mailing list