[WEB SECURITY] CSRF protection: What are the benefits of using the Synchronizer Token Pattern if your application is not vulnerable to XSS and using HTTPS only?
Arian J. Evans
arian.evans at anachronic.com
Sat Apr 23 20:46:35 EDT 2011
On Sat, Apr 23, 2011 at 4:07 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
> It can also cause problems for domains that host multiple web
> applications compartmentalized on a host-level, because
> fuzzy-bunnies.example.com can then compromise the XSRF token of
> payments.example.com, even if payments.example.com uses a completely
> separate login cookie and such.
Great example Michal.
Across domain-name compartmentalized apps you have a conceptually similar
problem to the multi-server token collision example I just posted.
Not only could the token be legitimately compromised or re-used as you
noted, but they can blindly collide in the same scenarios if the generators
are not synchronized (which we have observed in multi-node environments).
Software Security Sophist
More information about the websecurity