[WEB SECURITY] CSRF protection: What are the benefits of using the Synchronizer Token Pattern if your application is not vulnerable to XSS and using HTTPS only?

Michal Zalewski lcamtuf at coredump.cx
Sat Apr 23 19:07:18 EDT 2011


> I think this (double-cookie submit) is a weak defensive choice since
> it requires that a browsers single-origin policy to be perfect, and
> history says otherwise. I feel that a cryptographic nonce, either
> per-session or per-request, is a more robust defense.

If you mean something implemented as:

1) Put something random in a cookie named XSRF_CHECK_COOKIE,

2) Copy over that cookie to a form field named xsrf_check_field,

3) Upon receiving form, check that XSRF_CHECK_COOKIE ==  xsrf_check_field,

...is completely busted for any application that wants to use HTTPS
and withstand active attackers on public wifi or so. This should be
evident here:

http://lcamtuf.blogspot.com/2010/10/http-cookies-or-how-not-to-design.html

It can also cause problems for domains that host multiple web
applications compartmentalized on a host-level, because
fuzzy-bunnies.example.com can then compromise the XSRF token of
payments.example.com, even if payments.example.com uses a completely
separate login cookie and such.

So, there are some basic uses where this approach can be recommended,
but it's not a good habit in general.

/mz




More information about the websecurity mailing list