[WEB SECURITY] CSRF and Header Forging - your thoughts needed

Ryan Barnett rcbarnett at gmail.com
Fri May 28 18:14:04 EDT 2010


If the app has an XSS flaw then adding in CSRF tokens doesn't help
since, as you said, the attack payload could scrape the token and
submit it in the CSRF forced request.

Where these anti-csrf tokens help is if the csrf payload is off domain
as it wouldn't have access to the token and it isn't automatically
sent by the browser like a SessionID cookie is.


On 5/28/10, Steve Kerns <Steve.Kerns at netspi.com> wrote:
> How is this any different than a session token? If I was to perform a CSRF
> attack, I would just have to collect 2 data points instead of one. The CSRF
> attack would still succeed, would it not?
>
>
>
> Steve Kerns
>
> Security Team Lead
>
> NetSPI
>
> www.netspi.com
>
> 800 Washington Ave N
>
> Suite 670
>
> Minneapolis, MN 55401
>
> Cell: 952-250-2143
>
> Direct: 612-455-6981
>
> Office: 612-465-8880
>
> Fax: 612-677-3407
>
>
>
> From: nilesh kumar [mailto:nileshkumar83 at yahoo.co.in]
> Sent: Friday, May 28, 2010 6:22 AM
> To: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] CSRF and Header Forging - your thoughts needed
>
>
>
> Hi Paul,
>
> I agree with you. Adding random token with every page will add to server
> load also. We also recommend our developers to generate a random no. which
> is a valid for that particular session only. But it depends on criticality
> of application also.
>
>
> Thanks & Regards,
> Nilesh Kumar,
> Engineer-Security Management,
> Honeywell Technology Solutions,India
>
> --- On Fri, 28/5/10, nilesh kumar <nileshkumar83 at yahoo.co.in> wrote:
>
>
> From: nilesh kumar <nileshkumar83 at yahoo.co.in>
> Subject: Re: [WEB SECURITY] CSRF and Header Forging - your thoughts needed
> To: "Paul Johnston" <paul.johnston at pentest.co.uk>
> Date: Friday, 28 May, 2010, 4:45 PM
>
> Hi Paul,
>
> I agree with you. Adding random token with every page will add to server
> load also. We also recommend our developers to generate a random no. which
> is a valid for that particular session only. But it depends on criticality
> of application also.
>
>
> Thanks & Regards,
> Nilesh Kumar,
> Engineer-Security Management,
> Honeywell Technology Solutions, India
>
> --- On Mon, 17/5/10, Paul Johnston <paul.johnston at pentest.co.uk> wrote:
>
>
> From: Paul Johnston <paul.johnston at pentest.co.uk>
> Subject: Re: [WEB SECURITY] CSRF and Header Forging - your thoughts needed
> To: websecurity at webappsec.org
> Date: Monday, 17 May, 2010, 12:25 AM
>
> Hi,
>
> Is there any need to have a different token on each page? I don't think
> so. I've always recommended that the anti-CSRF token be generated at the
> same time as the session ID, and remain constant throughout the session.
> Sure, changing it may add a little security, but I don't think changing
> is necessary, not at all.
>
> Paul
>
> --
> Pentest - When a tick in the box is not enough
>
> Paul Johnston - IT Security Consultant / Tiger SST
> Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
>
> Office: +44 (0) 161 233 0100
> Mobile: +44 (0) 7817 219 072
>
> Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
> Registered Number: 4217114 England & Wales
> Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
>

-- 
Sent from my mobile device

Ryan C. Barnett
SANS Certified Instructor
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
http://tacticalwebappsec.blogspot.com/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list