Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
anti-CSRF token implemented only in the cookie
Posted by: joel
Date: January 20, 2010 07:40AM

Hey, guys. I found that some web application implementing anti-CSRF token only in the cookie, but not in the html form.

When they post data, they use javascript to get the anti-CSRF token from the cookie, and check the token in the background application between the post data and cookie data.

How do you think about this implemention?

Options: ReplyQuote
Re: anti-CSRF token implemented only in the cookie
Posted by: Gareth Heyes
Date: January 20, 2010 08:37AM

I did this a while ago:-
http://www.thespanner.co.uk/2007/08/15/random-javascript-and-php-generation/

It works well most of the time. Obviously it's not a form of security as the keys are generated on the client but many spammers don't execute js in their tools. Some use browsers or have a parser but the majority don't.

I applied it to CSRF as well:-
http://www.thespanner.co.uk/2007/10/19/jsck/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 01/21/2010 02:30AM by Gareth Heyes.

Options: ReplyQuote
Re: anti-CSRF token implemented only in the cookie
Posted by: joel
Date: January 20, 2010 08:06PM

@Gareth Heyes, great idae :p

In my case, there is only one token in the cookie, just like:

vtoken=8a995a95c13fda450b0776532156fe07

but this token does not appear in the html form, the form look like:
...
<input type="hidden" name="vtoken" value=<script>document.write(document.cookie...)</script> >
...

I am considering this implemention robust to defense csrf?

Options: ReplyQuote
Re: anti-CSRF token implemented only in the cookie
Posted by: PaPPy
Date: January 21, 2010 07:53AM

just hope you dont have xss on ur site...

not writing the string directly into the form(via js) is the same as writing it in the script

especially cause you can save the html and get the value, or use javascript to get the key

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: anti-CSRF token implemented only in the cookie
Posted by: joel
Date: January 21, 2010 07:58PM

@PaPPy
If there is a xss, writing the token string directly into the form cannot defence csrf either.

http://blog.thinkphp.de/archives/150-Buy-one-XSS,-get-a-CSRF-for-free.html

Options: ReplyQuote
Re: anti-CSRF token implemented only in the cookie
Posted by: clayfox
Date: January 29, 2010 08:16AM

If the domain and path of the cookie are set at a high level of generality and you have multiple subdomains, then you don't just have to worry about XSS in the domain in question, but rather all subdomains since they will all have access to the cookie.

-clayfox

Options: ReplyQuote


Sorry, only registered users may post in this forum.