[nycphp-talk] prevention of csrf attack
felix zaslavskiy
felix at students.poly.edu
Sun Dec 21 22:06:01 EST 2003
I recently read chris shiflett article on csrf attack in phparchetect and it got me thinking about prevention techinques.
Chris refered to as shared secret with a token that is stored in hidden field. I dont quite consider it to be shared secret but in any case there is easy way to get around it.
-Attacker would first request a form on his own and receive a token.
-Then attacket will trick a user to use his form with the token that is retrived by himself earlier.
-Attacker can retrive a valid token right before presenting fake form to user, so timeout of token wont prevent much.
I been thinking of a better solution but so far i have not come up with a perfect one but here is one i came up so far.
Every page will have a hidden token sent to it by server which can be put in a hidden filed. It would be created something like this :
$token= md5(SID . $server_secret . $randome_num);
echo "<input type="hidden" ... $token >"
echo "<input type="hidden" ... $random_num >"
Client Browser then can use javascript to construct a authenication code for each url.
location.href= url + '?rn='+random_num +'&auc=' + md5(token+url+cookie_sid());
Server can easily verify auc but one cannot be calculated by anyone other then the server. Attacker can do a replay if he can get the urls of user from http logs. The attacker cannot though do a replay without knowing the sid of the user. So I think the csrf on its own is prevented. If its combined with xss or looking at logs then its cant prevent but still makes it more difficult.
More information about the talk
mailing list