[Owasp-leaders] CSRF Password Change Function

Martin Knobloch martin.knobloch at owasp.org
Fri Mar 17 09:46:03 UTC 2017


All,

I totally agree with Steven! Do not abuse the password for what it is not
meant for!
Why should you (ab-)use the password?

Your CSRF token should be user and session specific!
See the Cheat sheet information on CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Kind regards,
-martin


On Fri, Mar 17, 2017 at 10:23 AM, Steven van der Baan <
steven.van.der.baan at owasp.org> wrote:

> Hi all,
>
> I disagree that you can use the current password as anti CSRF token.
> And here is why
> I see the anti CSRF token as assurance that it's really the user
> interacting with the application and not some script. An attacker can
> easily  go through the whole rockyou dictionary and uses all entries as
> current password to reset it to a known value. There will always be
> users that fall victim to this as they use insecure passwords.
>
> Just my £0.02
>
> Steven.
>
> On 17/03/17 07:49, Minhaz A V wrote:
> > Yes, current password can be used as anti CSRF Token, actually if there
> > old password is needed for changing password there is no need for anti
> > CSRF logic there, as it's much like login and cookies doesn't play much
> > role except for username. However if you were to use anti CSRF method
> > everywhere (let's say on POST request) you'd go for homogeneous method.
> >
> > ------------------------------------------------------------
> ----------------
> > Kind Regards,
> > Minhaz
> > minhazav.xyz <http://minhazav.xyz> | Blog <http://blog.minhazav.xyz>
> > |Projects <http://github.com/mebjas> | LinkedIn
> > <https://in.linkedin.com/in/minhazav>
> >
> > On Fri, Mar 17, 2017 at 7:15 AM, Ralph Durkee <rd at rd1.net
> > <mailto:rd at rd1.net>> wrote:
> >
> >     I agree that requiring the current password is sufficient for
> >     anti-CSRF. If the attacker could provide the current password, then
> >     there would be no need for the attack.  Was there logic provided as
> >     to why the current password would not be sufficient?
> >
> >     -- Ralph Durkee, CISSP, GXPN, GPEN, GCIH, GSEC, GSNA, GCIA, C|EH
> >     Principal Security Consultant
> >
> >
> >     On 03/16/2017 09:24 PM, Carlos Sagrero wrote:
> >>     Hello, a few hours ago I had a discussion with several of my
> >>     co-workers (all of them are Application Security consultant) about
> >>     whether in a password change function is valid to consider the
> >>     current password as a anti-CSRF control.
> >>
> >>     There is an interesting point that was the main discussion point,
> >>     at the end the current password is not a control to avoid CSRF.
> >>
> >>     What do you think about it? It is required to have a specific
> >>     control to CSRF?
> >>
> >>     Best regards.
> >>
> >>     --
> >>
> >>     *Carlos Isaac Sagrero Campos*
> >>
> >>     *OWASP Mexico City*
> >>
> >>     Inline image 1
> >>
> >>
> >>     <https://www.avast.com/sig-email?utm_medium=email&utm_
> source=link&utm_campaign=sig-email&utm_content=webmail>
> >>      Libre de virus. www.avast.com
> >>     <https://www.avast.com/sig-email?utm_medium=email&utm_
> source=link&utm_campaign=sig-email&utm_content=webmail>
> >>
> >>
> >>
> >>
> >>     _______________________________________________
> >>     OWASP-Leaders mailing list
> >>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org
> >
> >>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> >
> >
> >     _______________________________________________
> >     OWASP-Leaders mailing list
> >     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >     <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> >
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170317/b0fb09c4/attachment.html>


More information about the OWASP-Leaders mailing list