Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Captcha as CSRF protection
Date: August 15, 2008 01:36PM

Thoughts?

I think a big part of this will have to do with the implementation of the captcha. If the captcha data is tied to the user session, it's effectively identical to cookie-based protections; vulnerable to iframe overlays but not to auto-submitting forms. However, if the captcha has a identifier that is passed back to identify which captcha should be used, a dedicated attacker could retrieve a captcha, solve it, and then use it for a CSRF attack. This is assuming, of course, that the captcha isn't tied to the user account.

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: Captcha as CSRF protection
Posted by: Gareth Heyes
Date: August 15, 2008 04:15PM

Yep if the CAPTCHA itself isn't vulnerable then it would prevent CSRF attacks.
However entering a CAPTCHA for every action isn't realistic.

Javascript based sessions and simple referrer checking are also effective against attacks.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Captcha as CSRF protection
Posted by: asilvermtzion
Date: August 15, 2008 04:34PM

Examples of using Javascript based sessions?

Options: ReplyQuote
Re: Captcha as CSRF protection
Posted by: Gareth Heyes
Date: August 15, 2008 04:51PM

This uses random javascript to provide a unique session key along with other methods of CSRF protection.

http://www.businessinfo.co.uk/labs/csrf_defend/combined_demo.php

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Captcha as CSRF protection
Posted by: asilvermtzion
Date: August 16, 2008 04:35AM

Ah ok, so you are using a traditional token, combined with a js generated token. The server side generates the strings I presume, therefore you simply run the same algorithm when the form is submitted and check the values match. Noticed the frame breaker as well, seems like a pretty effective all-round routine.

A not strictly csrf question but in this example, if I were to use the browser's "remember password" feature, it would be possible to access that info in certain circumstances, on a high security form how do you protect against that to mitigate the risk if a vulnerability does occur in another area of the site? Personally the only idea I've had is including the form within an iframe on a sub-domain which has the sole purpose of serving that particular form.

Options: ReplyQuote


Sorry, only registered users may post in this forum.