Re: Cookie Security

На Wednesday 30 April 2008 17:24:19 Audrius написа:
2008/4/30 Orlin Gueorguiev <orlin@xxxxxxxxxxx>:
<img

src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory";


If Bob's bank keeps his authentication information in a cookie, and if
the cookie hasn't expired, then Bob's browser's attempt to load the image
will submit the withdrawal form with his cookie, thus authorizing a
transaction without Bob's approval.
=====
So... what I am asking myself how your consept can secure, that CSRF is
not going to be exploited?

You already have answered your question using your "if's". Token can't
be in the cookies, because they are returned back on every request.
But if token will be used for example in an URL, then your method will
not work. But again, this technique will not work, if site will be
vulnerable to XSS. Most of security methods against CSRF doesn't work,
if site has XSS vulnerability. Then much better way is to use
something like captcha. Just ask user to do something before doing
important actions. But again, captcha can't be to complicated, because
you will have another problem. Usability of the website. :) Better
security always means less usability and to find the middle is quite
hard.

Lets take the classical situation: We have 3 persons: Alice (the attacked
person), Bob (the bank) and Eve (the hacker).
So... Eve crafts a web page, that tries to exploit a CSRF vulnerability and
steal money from anybody, who opens the page and has a non-expired cookie to
Bob (the bank). So Alice opens the page and she logs with her own computer
and credentials to the bank and send the money. Now... because SHE logs
there, and not Eve, this means that anything saved on her computer can be
used to log in there, so exchanging tokens would not work.
Even if you use a token, that is beeing randomly generated, if the process of
generation is simulated using CSRF, it would not really matter if you use
such a token. So... this is why I was asking why you how/why does this token
help prevent CSRF?

Cheers,
Orlin

Relevant Pages

  • RE: Cookie Security
    ... More info on CSRF is here http://www.owasp.org/index.php/Testing_for_CSRF ... Subject: Cookie Security ... Bob (the bank) and Eve. ... so exchanging tokens would not work. ...
    (Security-Basics)
  • Re: How to identify native Idp (Identity Provider) for users in federation contexts?
    ... the user usually possesses one or more identity indicators ... caused by appropriate interactions with services. ... I can use this cookie ... as proof of the identity that the bank grants. ...
    (comp.security.misc)
  • Re: Cookie Security
    ... but server must get it back on next request. ... CSRF merely transmits unauthorized commands from a user the website trusts. ... If Bob's bank keeps his authentication information in a cookie, ... to secure this common system at an application level. ...
    (Security-Basics)
  • Re: computer identity
    ... As you know, when you log in to, say, a bank account using a computer ... I just checked my browser cookie manager. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: MCE upgrade problem
    ... Cookies are considered spyware by many anti-spyware programs. ... a cookie blocker or changed security settings to block cookies. ... Called bank they said their on line system does not recognize my computer ... Dana Cline - MCE MVP ...
    (microsoft.public.windows.mediacenter)