Comments on: Protection against CSRF http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/ A tool for designers dealing with programmers dealing with designers... Tue, 30 Sep 2008 23:34:02 +0000 http://wordpress.org/?v=2.6.2 By: dblackshell http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-1243 dblackshell Mon, 02 Jun 2008 15:50:20 +0000 http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-1243 @Shahar Evron the token could be retrieved via dynamic script tags... a way to prevent that is by requesting a new token via AJAX when the page is loaded... on a normal form retrieval the hidden field should be blank. @Shahar Evron

the token could be retrieved via dynamic script tags… a way to prevent that is by requesting a new token via AJAX when the page is loaded… on a normal form retrieval the hidden field should be blank.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-547 Gareth Heyes Fri, 07 Sep 2007 10:05:04 +0000 http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-547 It's hard for me to provide you advice without knowing the details of your system but I'll have a go... I would say enforce a password which would solve any CSRF problem. So for example if you are accept a site request on your OpenID provider site do not allow a user to save the password. Make them enter the password on each request. The only way an attacker could exploit this is to either send the valid password or ride the user's session. Let me know if that helps or please provide me with a brief description on how your site works and I'll let you know the possible attack vectors and prevention. It’s hard for me to provide you advice without knowing the details of your system but I’ll have a go…

I would say enforce a password which would solve any CSRF problem. So for example if you are accept a site request on your OpenID provider site do not allow a user to save the password. Make them enter the password on each request. The only way an attacker could exploit this is to either send the valid password or ride the user’s session.

Let me know if that helps or please provide me with a brief description on how your site works and I’ll let you know the possible attack vectors and prevention.

]]> By: Joseph Wilk http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-546 Joseph Wilk Fri, 07 Sep 2007 09:51:36 +0000 http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-546 Is it possible to protect against CSRF without relying on server state? Generally I have to try and avoid using state as much as possible to try and maintain a strict REST model. Is it possible to protect against CSRF without relying on server state?

Generally I have to try and avoid using state as much as possible to try and maintain a strict REST model.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-428 Gareth Heyes Tue, 21 Aug 2007 20:26:06 +0000 http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-428 Here's a POC I did for MyOpenID which they've now fixed. They used a form token but I got round it :) http://www.thespanner.co.uk/wp-content/uploads/2007/06/openid.zip Description about it here:- http://www.thespanner.co.uk/2007/06/29/openid-security-issues/ This attack is quite difficult to protect against as it uses a new window to perform the attack. If you follow the advice in the post, you will be a much more difficult target. Here’s a POC I did for MyOpenID which they’ve now fixed. They used a form token but I got round it :)

http://www.thespanner.co.uk/wp-content/uploads/2007/06/openid.zip

Description about it here:-
http://www.thespanner.co.uk/2007/06/29/openid-security-issues/

This attack is quite difficult to protect against as it uses a new window to perform the attack. If you follow the advice in the post, you will be a much more difficult target.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-427 Gareth Heyes Tue, 21 Aug 2007 20:21:03 +0000 http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-427 Yeah session fixation. You assign the user a session which you already know the answer to. That's why I've included expiry dates on the tokens. Yeah session fixation.

You assign the user a session which you already know the answer to. That’s why I’ve included expiry dates on the tokens.

]]> By: Bipin 3~ Upadhyay http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-426 Bipin 3~ Upadhyay Tue, 21 Aug 2007 20:17:07 +0000 http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-426 <i>I find the whole security=restricted thing very interesting...</i> Same here. There's one more thing that I'd like to ask. Considering that the src inside the restricted frame is executed as "a site in IE's 'restriced zone'", which means that javascript is disabled (unless it breaks out of the window, of course), can you think some attack other than Phishing the end user. I hope I was clear enough. We might continue the discussion here: http://sla.ckers.org/forum/read.php?2,13324 I find the whole security=restricted thing very interesting…
Same here.
There’s one more thing that I’d like to ask. Considering that the src inside the restricted frame is executed as “a site in IE’s ‘restriced zone’”, which means that javascript is disabled (unless it breaks out of the window, of course), can you think some attack other than Phishing the end user.

I hope I was clear enough. We might continue the discussion here: http://sla.ckers.org/forum/read.php?2,13324

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-425 Gareth Heyes Tue, 21 Aug 2007 15:49:26 +0000 http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-425 In fact if anyone wishes to expand my javascript/php generation class let me know and I'll include the update on my blog with credits. I find the whole security=restricted thing very interesting because the feature is also a security hole and to protect it you create a catch 22 situation :) e.g. You need javascript to execute the token, you need to stop javascript to prevent the frame breaker :D In fact if anyone wishes to expand my javascript/php generation class let me know and I’ll include the update on my blog with credits.

I find the whole security=restricted thing very interesting because the feature is also a security hole and to protect it you create a catch 22 situation :) e.g. You need javascript to execute the token, you need to stop javascript to prevent the frame breaker :D

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-424 Gareth Heyes Tue, 21 Aug 2007 15:45:35 +0000 http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-424 Cookies could be used here. You could execute javascript and then assign the cookie that would work and that's how my comment spam plugin works. But I wanted a method without cookies, I like a challenge ;) My other post deals with the javascript/php creation and includes source code if you want to take a look:- http://www.thespanner.co.uk/2007/08/15/random-javascript-and-php-generation/ obfuscating js :) The code could be easily be expanded upon to include other generation methods if needed. Cookies could be used here. You could execute javascript and then assign the cookie that would work and that’s how my comment spam plugin works. But I wanted a method without cookies, I like a challenge ;)

My other post deals with the javascript/php creation and includes source code if you want to take a look:-
http://www.thespanner.co.uk/2007/08/15/random-javascript-and-php-generation/

obfuscating js :)

The code could be easily be expanded upon to include other generation methods if needed.

]]> By: Bipin 3~ Upadhyay http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-423 Bipin 3~ Upadhyay Tue, 21 Aug 2007 15:35:27 +0000 http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-423 <i>Let me know if you can break it :)</i> hehe... Just curious, how are you generating the javascript code to create nonce? One more thing. Pdp had suggested using cookie value as the nonce in his essay. Even if we are paranoid about not allowing cookie value to be cached in the browser (and other similar issues), wouldn't a simple mutated form of cookie value be an equally good nonce? p.s.:At first look, I thought you are obfuscating some JS code :P Let me know if you can break it :)
hehe…

Just curious, how are you generating the javascript code to create nonce?

One more thing. Pdp had suggested using cookie value as the nonce in his essay. Even if we are paranoid about not allowing cookie value to be cached in the browser (and other similar issues), wouldn’t a simple mutated form of cookie value be an equally good nonce?

p.s.:At first look, I thought you are obfuscating some JS code :P

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-422 Gareth Heyes Tue, 21 Aug 2007 13:28:56 +0000 http://www.thespanner.co.uk/2007/08/20/protection-against-csrf/#comment-422 Here's the iframe one:- http://www.businessinfo.co.uk/labs/csrf_defend/iframe_protection.php Let me know if you can break it :) Here’s the iframe one:-
http://www.businessinfo.co.uk/labs/csrf_defend/iframe_protection.php

Let me know if you can break it :)

]]>