[Owasp-leaders] CSRF Password Change Function
Steven van der Baan
steven.van.der.baan at owasp.org
Fri Mar 17 09:33:51 UTC 2017
True.
I still do not see that using the current password is a sufficient
mitigating factor against automation, which is exploited through CSRF.
And regarding throttling, personally prefer to have a logarithmic time
increase between attempts. This still allows a user to type a couple of
false password before the timeouts get too ridiculous.
On 17/03/17 09:26, Minhaz A V wrote:
> @Steven: that can be done to login page as well. We need other
> mitigation for that.
> We'd need to throttle attempts to reset password per unit time, making
> brute force not very feasible.
>
> ----------------------------------------------------------------------------
> Kind Regards,
> Minhaz
> minhazav.xyz <http://minhazav.xyz> | Blog <http://blog.minhazav.xyz>
> |Projects <http://github.com/mebjas> | LinkedIn
> <https://in.linkedin.com/in/minhazav>
>
> On Fri, Mar 17, 2017 at 2:53 PM, Steven van der Baan
> <steven.van.der.baan at owasp.org <mailto:steven.van.der.baan at owasp.org>>
> wrote:
>
> Hi all,
>
> I disagree that you can use the current password as anti CSRF token.
> And here is why
> I see the anti CSRF token as assurance that it's really the user
> interacting with the application and not some script. An attacker can
> easily go through the whole rockyou dictionary and uses all entries as
> current password to reset it to a known value. There will always be
> users that fall victim to this as they use insecure passwords.
>
> Just my £0.02
>
> Steven.
>
> On 17/03/17 07:49, Minhaz A V wrote:
> > Yes, current password can be used as anti CSRF Token, actually if there
> > old password is needed for changing password there is no need for anti
> > CSRF logic there, as it's much like login and cookies doesn't play much
> > role except for username. However if you were to use anti CSRF method
> > everywhere (let's say on POST request) you'd go for homogeneous method.
> >
> > ----------------------------------------------------------------------------
> > Kind Regards,
> > Minhaz
> > minhazav.xyz <http://minhazav.xyz> <http://minhazav.xyz> | Blog
> <http://blog.minhazav.xyz>
> > |Projects <http://github.com/mebjas> | LinkedIn
> > <https://in.linkedin.com/in/minhazav
> <https://in.linkedin.com/in/minhazav>>
> >
> > On Fri, Mar 17, 2017 at 7:15 AM, Ralph Durkee <rd at rd1.net <mailto:rd at rd1.net>
> > <mailto:rd at rd1.net <mailto:rd at rd1.net>>> wrote:
> >
> > I agree that requiring the current password is sufficient for
> > anti-CSRF. If the attacker could provide the current password, then
> > there would be no need for the attack. Was there logic provided as
> > to why the current password would not be sufficient?
> >
> > -- Ralph Durkee, CISSP, GXPN, GPEN, GCIH, GSEC, GSNA, GCIA, C|EH
> > Principal Security Consultant
> >
> >
> > On 03/16/2017 09:24 PM, Carlos Sagrero wrote:
> >> Hello, a few hours ago I had a discussion with several of my
> >> co-workers (all of them are Application Security consultant) about
> >> whether in a password change function is valid to consider the
> >> current password as a anti-CSRF control.
> >>
> >> There is an interesting point that was the main discussion point,
> >> at the end the current password is not a control to avoid CSRF.
> >>
> >> What do you think about it? It is required to have a specific
> >> control to CSRF?
> >>
> >> Best regards.
> >>
> >> --
> >>
> >> *Carlos Isaac Sagrero Campos*
> >>
> >> *OWASP Mexico City*
> >>
> >> Inline image 1
> >>
> >>
> >>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>>
> >> Libre de virus. www.avast.com <http://www.avast.com>
> >>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>
> <mailto:OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>>
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> >> <https://lists.owasp.org/mailman/listinfo/owasp-leaders
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>>
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>
> <mailto:OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>>
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> > <https://lists.owasp.org/mailman/listinfo/owasp-leaders
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>>
> >
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>
>
More information about the OWASP-Leaders
mailing list