[WEB SECURITY] CSRF protection: What are the benefits of using the Synchronizer Token Pattern if your application is not vulnerable to XSS and using HTTPS only?

Arian J. Evans arian.evans at anachronic.com
Sat Apr 23 20:46:35 EDT 2011


On Sat, Apr 23, 2011 at 4:07 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> It can also cause problems for domains that host multiple web
> applications compartmentalized on a host-level, because
> fuzzy-bunnies.example.com can then compromise the XSRF token of
> payments.example.com, even if payments.example.com uses a completely
> separate login cookie and such.

Great example Michal.

Across domain-name compartmentalized apps you have a conceptually similar
problem to the multi-server token collision example I just posted.

Not only could the token be legitimately compromised or re-used as you
noted, but they can blindly collide in the same scenarios if the generators
are not synchronized (which we have observed in multi-node environments).

---
Arian Evans
Software Security Sophist




More information about the websecurity mailing list