[WEB SECURITY] Improved double submit csrf prevention

Tim tim-security at sentinelchicken.org
Sun May 1 20:07:03 EDT 2011


Hi Richard,

I think you might be making it more complicated than it needs to be.
The algorithm I had proposed previously does not require any use of
cookies (HMAC values passed only in POST body, URL parameters, or
custom HTTP headers) and every single request would have a separate
HMAC value.  The HMAC values would all remain valid in multithreaded
scenarios (e.g. asynchronous AJAX) for a configurable period of time,
but are tied to the session so would expire with it.  It also happens
to be far simpler than what you propose.

What is it you are trying to accomplish beyond those
features/protections?

To be clear about XSS implications, these methods can help one prevent
exploitation of reflected XSS because injection attempts should be
outright rejected before injection can occur, but once client-side
script is successfully injected (perhaps via stored XSS or other
scenarios), these tokens of course provide no protection.

tim




More information about the websecurity mailing list