[WEB SECURITY] Improved double submit csrf prevention

Richard Hauswald richard.hauswald at googlemail.com
Thu Apr 28 09:08:50 EDT 2011


Hello list,
based on the input I got from many people I created yet another way to
prevent csrf. Here are my thoughts:
0. Create a session wide secret key and a session wide salt
1. Create a new secure random long enough to avoid conflicts. This
token will be called Double Submit Token
2. Set this token in a secure, http-only cookie
3. Build a HMAC like this: hmac(doubleSubmitToken + sessionWideSalt,
sessionWideSecretKey) and write this string in a hidden form field or
HTTP Response Header for ajax requests
4. When a POST arrives:
   a) fail if  no the cookie value is present
   b) fail if  hmac(cookieValue + sessionWideSalt,
sessionWideSecretKey) NOT EQUALS (the posted hmac string of the hidden
form field or HTTP Response Header for ajax requests)
5. If a POST or a GET arrives:
   a) Create a new secure random long enough to avoid conflicts. This
token will be called Double Submit Token
   b) Set this token in a secure, http-only cookie
   c) Build a HMAC like this: hmac(doubleSubmitToken +
sessionWideSalt, sessionWideSecretKey) and write this string in a
hidden form field or HTTP Response Header for ajax requests

Based on https://www.owasp.org/index.php/HttpOnly I concluded that
setting the same token in a http only cookie and hidden field may not
protect you in case of XSS since not every Browser protects a HTTP
only cookie from being written....

I also noticed that there are many people out there not trusting
cookies. James Manico states that: "I think one token per session is a
reasonable tradeoff for a framework."
IMHO it might be good idea to implement both algorithms so one can use
the combined csrf protection of both methods.

What do you think about this?
Regards,
Richard

-- 
Richard Hauswald
Blog: http://tnfstacc.blogspot.com/
LinkedIn: http://www.linkedin.com/in/richardhauswald
Xing: http://www.xing.com/profile/Richard_Hauswald




More information about the websecurity mailing list