Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
JSCK - Javascript CSRF Protection Kit
Posted by: Gareth Heyes
Date: October 18, 2007 09:38PM

I've just finished a prototype of my new project JSCK
http://www.thespanner.co.uk/2007/10/19/jsck/

Can anyone pass the test and perform CSRF on the demo?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSCK - Javascript CSRF Protection Kit
Posted by: Gareth Heyes
Date: October 22, 2007 05:54AM

New update available now:-
http://www.thespanner.co.uk/2007/10/22/jsck-demo-update/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: JSCK - Javascript CSRF Protection Kit
Posted by: digi7al64
Date: October 23, 2007 11:06PM

hmmmmm. ok couple of points (I use something similar/not so similar on my own sites)

caveat (requiring javascript & POST's)

1. If you are using javscript then why even bother placing the form into the page? It only provides the bot with a form to post. Instead use the document.write or create function to output your form onto the page (this way it requires the bot to retrieve the js file - you can then add some better logic into the generation script so you can mask the form data so the bot can't regonise from the source anyway)

2. If you are using javascript then why not remove the action element and instead only place it into the form using javascript when the onsubmit event is fired. This way the bot doesn't know where to post to.

Finally, of course there any much tougher ways to even implement more security into the design but for now I leave it at that.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: JSCK - Javascript CSRF Protection Kit
Posted by: Gareth Heyes
Date: October 24, 2007 03:15AM

@digi7al64

This isn't a single protection on one site, it is intended to be used by simply including Javascript on any page and it will protect all links and forms on that page. I want to accommodate users with no javascript by displaying a confirmation form. Of course a PHP based system with more security would be more secure however this kit was intended to be pluggable easily into any PHP site even by a novice programmer.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.