NYCPHP Meetup

NYPHP.org

[nycphp-talk] prevention of csrf attack

felix zaslavskiy felix at students.poly.edu
Mon Dec 22 01:57:02 EST 2003


> 
> At any rate, this particular weakness is easily resolved by making the
> token only shared between the server and the legitimate user (rather than
> just keeping a pool of valid tokens). By storing this value in the user's
> session, it requires that the attacker guess that user's specific token.

That only complicates things a little because now the attacker has to retrive the secret token using the session id of the user. So the first fake request has to be to request the form page grabe the token and then resubmit second fake request with the token.

So I come to the conclusion that my method can work if its make generic and that EVERY request in the session needs to have the second token with the session id. This way the attacker would not get a change to perform the first fake request in order to grab a token at no time.  I think i am going to write an implementation of this.



More information about the talk mailing list