[nycphp-talk] prevention of csrf attack
Chris Shiflett
shiflett at php.net
Mon Dec 22 01:01:42 EST 2003
--- felix zaslavskiy <felix at students.poly.edu> wrote:
> I recently read chris shiflett article on csrf attack in phparchetect
> and it got me thinking about prevention techinques.
Great. :-)
> Chris refered to as shared secret with a token that is stored in
> hidden field. I dont quite consider it to be shared secret but in any
> case there is easy way to get around it.
>
> -Attacker would first request a form on his own and receive a token.
> -Then attacket will trick a user to use his form with the token that
> is retrived by himself earlier.
> -Attacker can retrive a valid token right before presenting fake form
> to user, so timeout of token wont prevent much.
This is a weakness that I purposely include in my talks, but I don't think
the article had such a weakness. I only include it in the talk to help
drive home the fact that every implementation can be strengthened, and it
gives me a question to ask to see whether anyone is paying attention. :-)
At any rate, this particular weakness is easily resolved by making the
token only shared between the server and the legitimate user (rather than
just keeping a pool of valid tokens). By storing this value in the user's
session, it requires that the attacker guess that user's specific token.
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
More information about the talk
mailing list