[OWASP-wiki-editors] Page correction requested but authors/primary editors are unreachable

Walter Dolce walterdolce at gmail.com
Sun Apr 24 11:37:36 UTC 2016


Thank you, Jim
I will continue on this thread unless you guys want me otherwise.

Pasting the original message below for brevity.

======= ORIGINAL MESSAGE =======
Hi all,

After trying to implement CSRF prevention components following the
encrypted token pattern and giving it some thought, I came to the
conclusion that this pattern does not protect you from replay attacks.

The page says
<https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Encrypted_Token_Pattern>
:
===
Validation

On successful Token-decryption, the server has access to parsed values,
ideally in the form of claims
<http://en.wikipedia.org/wiki/Claims-based_identity>. These claims are
processed by comparing the UserId claim to any potentially stored UserId
(in a Cookie or Session variable, if the site already contains a means of
authentication). The Timestamp is validated against the current time,
preventing replay attacks. Alternatively, in the case of a CSRF attack, the
server will be unable to decrypt the poisoned Token, and can block and log
the attack.
===

The focus here is on "the timestamp is validated at the current time".

Imagine a scenario where a token with some time-based value embedded is
generated and then it's output in a hidden input field. The moment the
token is generated, it is already expired. If you think about a user who's
filling up a form, that would take her a few seconds. Once the user would
submit the form, she would then be blocked because time passed (>1sec)
since the token was generated. This makes form submissions almost
impossible.

In a scenario where a "time threshold" is used instead (say 10 seconds max
until the token is considered as expired), the user experience would, *to
some extent*, benefit from the issue highlighted above. But here we open
ourselves to replay attacks, because if every request sent within the time
threshold would be considered valid. If someone tricks you to navigate a
fake page which under the hood sends i.e. payment POST request or things
like that, those requests would be considered valid and would pass...

Does this all make sense to you, or am I missing something?
What do you think?

If the answers are "yes, and no", then I think the page should be updated
accordingly as it creates false expectations.

======= END OF ORIGINAL MESSAGE =======


Please let me know what you all think.

Many thanks,
Walter

On 24 April 2016 at 09:03, Jim Manico <jim.manico at owasp.org> wrote:

> Walter,
>
> Yes! Lets talk about fixing this cheat-sheet!
>
> Can you either submit comments here or perhaps send them to the cheatsheet
> email list?
>
> https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets
>
> I look forward to reading your feedback!
>
> Aloha, Jim
>
>
>
> On 4/22/16 3:15 AM, Walter Dolce wrote:
>
> Hi all,
>
> I sent an email to the authors/primary editors few days ago as I believe
> the Cross Site Request Forgery Prevention Cheat Sheet page
> <https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet> needs
> correction but the email was sent back because of the subjects
> unreachability.
>
> Is there anyone here I could discuss the changes with?
>
> Many thanks,
> Walter
>
> --
>
> walter dolce | senior full stack software engineer
> Zend Certified Engineer PHP5
> <http://www.zend.com/en/yellow-pages/ZEND026539> // Magento Certified
> Developer Plus
> <http://www.magentocommerce.com/certification/directory/dev/975608/>
>
> twitter @walterdolce <https://twitter.com/WalterDolce>
> skype walter.dolce
>
>
> _______________________________________________
> OWASP-wiki-editors mailing listOWASP-wiki-editors at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
>
>
>


-- 

walter dolce | senior full stack software engineer
Zend Certified Engineer PHP5
<http://www.zend.com/en/yellow-pages/ZEND026539> // Magento Certified
Developer Plus
<http://www.magentocommerce.com/certification/directory/dev/975608/>

twitter @walterdolce <https://twitter.com/WalterDolce>
skype walter.dolce
tel +44 (or 0) 7873 527127
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20160424/4db5ff47/attachment-0001.html>


More information about the OWASP-wiki-editors mailing list