[Owasp-leaders] CSRF Password Change Function

Steven van der Baan steven.van.der.baan at owasp.org
Fri Mar 17 09:33:51 UTC 2017


True.

I still do not see that using the current password is a sufficient
mitigating factor against automation, which is exploited through CSRF.

And regarding throttling, personally prefer to have a logarithmic time
increase between attempts. This still allows a user to type a couple of
false password before the timeouts get too ridiculous.

On 17/03/17 09:26, Minhaz A V wrote:
> @Steven: that can be done to login page as well. We need other
> mitigation for that.
> We'd need to throttle attempts to reset password per unit time, making
> brute force not very feasible.
> 
> ----------------------------------------------------------------------------
> Kind Regards,
> Minhaz 
> minhazav.xyz <http://minhazav.xyz> | Blog <http://blog.minhazav.xyz>
> |Projects <http://github.com/mebjas> | LinkedIn
> <https://in.linkedin.com/in/minhazav>
> 
> On Fri, Mar 17, 2017 at 2:53 PM, Steven van der Baan
> <steven.van.der.baan at owasp.org <mailto:steven.van.der.baan at owasp.org>>
> wrote:
> 
>     Hi all,
> 
>     I disagree that you can use the current password as anti CSRF token.
>     And here is why
>     I see the anti CSRF token as assurance that it's really the user
>     interacting with the application and not some script. An attacker can
>     easily  go through the whole rockyou dictionary and uses all entries as
>     current password to reset it to a known value. There will always be
>     users that fall victim to this as they use insecure passwords.
> 
>     Just my £0.02
> 
>     Steven.
> 
>     On 17/03/17 07:49, Minhaz A V wrote:
>     > Yes, current password can be used as anti CSRF Token, actually if there
>     > old password is needed for changing password there is no need for anti
>     > CSRF logic there, as it's much like login and cookies doesn't play much
>     > role except for username. However if you were to use anti CSRF method
>     > everywhere (let's say on POST request) you'd go for homogeneous method.
>     >
>     > ----------------------------------------------------------------------------
>     > Kind Regards,
>     > Minhaz
>     > minhazav.xyz <http://minhazav.xyz> <http://minhazav.xyz> | Blog
>     <http://blog.minhazav.xyz>
>     > |Projects <http://github.com/mebjas> | LinkedIn
>     > <https://in.linkedin.com/in/minhazav
>     <https://in.linkedin.com/in/minhazav>>
>     >
>     > On Fri, Mar 17, 2017 at 7:15 AM, Ralph Durkee <rd at rd1.net <mailto:rd at rd1.net>
>     > <mailto:rd at rd1.net <mailto:rd at rd1.net>>> wrote:
>     >
>     >     I agree that requiring the current password is sufficient for
>     >     anti-CSRF. If the attacker could provide the current password, then
>     >     there would be no need for the attack.  Was there logic provided as
>     >     to why the current password would not be sufficient?
>     >
>     >     -- Ralph Durkee, CISSP, GXPN, GPEN, GCIH, GSEC, GSNA, GCIA, C|EH
>     >     Principal Security Consultant
>     >
>     >
>     >     On 03/16/2017 09:24 PM, Carlos Sagrero wrote:
>     >>     Hello, a few hours ago I had a discussion with several of my
>     >>     co-workers (all of them are Application Security consultant) about
>     >>     whether in a password change function is valid to consider the
>     >>     current password as a anti-CSRF control.
>     >>
>     >>     There is an interesting point that was the main discussion point,
>     >>     at the end the current password is not a control to avoid CSRF.
>     >>
>     >>     What do you think about it? It is required to have a specific
>     >>     control to CSRF?
>     >>
>     >>     Best regards.
>     >>
>     >>     --
>     >>
>     >>     *Carlos Isaac Sagrero Campos*
>     >>
>     >>     *OWASP Mexico City*
>     >>
>     >>     Inline image 1
>     >>
>     >>
>     >>   
>      <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
>     <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>>
>     >>      Libre de virus. www.avast.com <http://www.avast.com>
>     >>   
>      <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
>     <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>>
>     >>
>     >>
>     >>
>     >>
>     >>     _______________________________________________
>     >>     OWASP-Leaders mailing list
>     >>     OWASP-Leaders at lists.owasp.org
>     <mailto:OWASP-Leaders at lists.owasp.org>
>     <mailto:OWASP-Leaders at lists.owasp.org
>     <mailto:OWASP-Leaders at lists.owasp.org>>
>     >>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>     >>     <https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>>
>     >
>     >
>     >     _______________________________________________
>     >     OWASP-Leaders mailing list
>     >     OWASP-Leaders at lists.owasp.org
>     <mailto:OWASP-Leaders at lists.owasp.org>
>     <mailto:OWASP-Leaders at lists.owasp.org
>     <mailto:OWASP-Leaders at lists.owasp.org>>
>     >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>     >     <https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>>
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > OWASP-Leaders mailing list
>     > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>     >
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> 
> 


More information about the OWASP-Leaders mailing list