[OWASP-wiki-editors] Page correction requested but authors/primary editors are unreachable

Jim Manico jim.manico at owasp.org
Sat Apr 30 04:08:02 UTC 2016


Walter,

This is on me but I'm busy moving into a new home. Just give me a little
more time and I'll respond in detail.

Aloha, Jim

On 4/29/16 1:53 PM, Walter Dolce wrote:
>
> Hi all, does anyone have any update on this?
>
> Many thanks,
> Walter
>
> Thank you, Jim 
> I will continue on this thread unless you guys want me otherwise.
>
> Pasting the original message below for brevity.
>
> ======= ORIGINAL MESSAGE ======= 
> Hi all,
>
> After trying to implement CSRF prevention components following the
> encrypted token pattern and giving it some thought, I came to the
> conclusion that this pattern does not protect you from replay attacks.
>
> The page says
> <https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Encrypted_Token_Pattern>:
> === 
>
>
>         Validation
>
> On successful Token-decryption, the server has access to parsed
> values, ideally in the form of claims
> <http://en.wikipedia.org/wiki/Claims-based_identity>. These claims are
> processed by comparing the UserId claim to any potentially stored
> UserId (in a Cookie or Session variable, if the site already contains
> a means of authentication). The Timestamp is validated against the
> current time, preventing replay attacks. Alternatively, in the case of
> a CSRF attack, the server will be unable to decrypt the poisoned
> Token, and can block and log the attack.
>
> ===
>
> The focus here is on "the timestamp is validated at the current time".
>
> Imagine a scenario where a token with some time-based value embedded
> is generated and then it's output in a hidden input field. The moment
> the token is generated, it is already expired. If you think about a
> user who's filling up a form, that would take her a few seconds. Once
> the user would submit the form, she would then be blocked because time
> passed (>1sec) since the token was generated. This makes form
> submissions almost impossible.
>
> In a scenario where a "time threshold" is used instead (say 10 seconds
> max until the token is considered as expired), the user experience
> would, /to some extent/, benefit from the issue highlighted above. But
> here we open ourselves to replay attacks, because if every request
> sent within the time threshold would be considered valid. If someone
> tricks you to navigate a fake page which under the hood sends i.e.
> payment POST request or things like that, those requests would be
> considered valid and would pass...
>
> Does this all make sense to you, or am I missing something? 
> What do you think?
>
> If the answers are "yes, and no", then I think the page should be
> updated accordingly as it creates false expectations.
>
> ======= END OF ORIGINAL MESSAGE ======= 
>
>
> Please let me know what you all think. 
>
> Many thanks,
> Walter
>
> On 24 April 2016 at 09:03, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Walter,
>
>     Yes! Lets talk about fixing this cheat-sheet!
>
>     Can you either submit comments here or perhaps send them to the
>     cheatsheet email list?
>
>     https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets
>
>     I look forward to reading your feedback!
>
>     Aloha, Jim
>
>
>
>     On 4/22/16 3:15 AM, Walter Dolce wrote:
>>     Hi all,
>>
>>     I sent an email to the authors/primary editors few days ago as I
>>     believe the Cross Site Request Forgery Prevention Cheat Sheet
>>     page
>>     <https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet> needs
>>     correction but the email was sent back because of the subjects
>>     unreachability.
>>
>>     Is there anyone here I could discuss the changes with?
>>
>>     Many thanks,
>>     Walter
>>
>>     -- 
>>
>>     walter dolce | senior full stack software engineer 
>>     Zend Certified Engineer PHP5
>>     <http://www.zend.com/en/yellow-pages/ZEND026539> // Magento
>>     Certified Developer Plus
>>     <http://www.magentocommerce.com/certification/directory/dev/975608/>
>>
>>     twitter @walterdolce <https://twitter.com/WalterDolce>
>>     skype walter.dolce
>>
>>
>>
>>     _______________________________________________
>>     OWASP-wiki-editors mailing list
>>     OWASP-wiki-editors at lists.owasp.org
>>     <mailto:OWASP-wiki-editors at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
>
>
>
>
> -- 
>
> walter dolce | senior full stack software engineer 
> Zend Certified Engineer PHP5
> <http://www.zend.com/en/yellow-pages/ZEND026539> // Magento Certified
> Developer Plus
> <http://www.magentocommerce.com/certification/directory/dev/975608/>
>
> twitter @walterdolce <https://twitter.com/WalterDolce>
> skype walter.dolce
> tel +44 (or 0) 7873 527127
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20160429/1f278288/attachment-0001.html>


More information about the OWASP-wiki-editors mailing list