[WEB SECURITY] RE: Defeating nonce/token based CSRF protection

Eric Rachner eric at rachner.us
Fri Apr 18 21:04:19 EDT 2008


I hate to keep the debate raging, but --

No, it is *not* possible to do what is described in your original message.
Secret tokens are sufficient to defeat CSRF attacks.

As I noted in my original reply, many other vulnerabilities can ultimately
result in similar consequences: XSS, hostile third-party content, and
browser bugs are all big problems.  So is phishing.  But they are also
separate problems with separate solutions.  i.e., for CSRF we have secret
tokens.  For XSS, we have input validation & output encoding.  For
third-party content, we have, um, prohibiting third-party content. :)

Hope that helps,

- Eric

-----Original Message-----
From: Jeroen van Dongen [mailto:jeroen at jkwadraat.net] 
Sent: Friday, April 18, 2008 11:29 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] RE: Defeating nonce/token based CSRF protection

Thanks all for the answers -

Mike Duncan summarised it nicely I guess:
"...and we are answering: Yes, this is possible but security in depth is
the best defense against this."

Thanks again,
Jeroen

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list