Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSRF tokens
Date: December 23, 2011 09:16AM

Hi,

I know to get rid of CSRF attack we have use the CSRF tokens, but not sure about the internal working of this. What I mean is where does these tokens get created and how the transfermatrion happens from client to server and when these are validated like that.

Can some one explain how the CSRF token implemenation works with pictorial represenation.


Thanks and Regards,
Srinivas

Options: ReplyQuote
Re: CSRF tokens
Posted by: Gareth Heyes
Date: January 03, 2012 03:27AM

I'm not going to draw you a picture but here's how it works in steps

1. Server generates one time random token (with an expiry time of around >= 20 mins)
2. Client serves token inside a hidden form input field.
3. When the submission is made the client token is checked against the server token and the expiry time.
4. The server then destroys the server side token if the request is valid or not and generates a new one.

There are a couple of pitfalls like a empty token request, the client serves a blank token and the server doesn't have a valid token generated if the attacker makes a request directly to the target operation without first making a request to generate a token. The expiry is required to stop token reuse by an attacker, also the token should be user specific to stop an attacker token being used by a user. You also have to make sure that the site cannot be framed since you can bypass any token see this attack [www.thespanner.co.uk]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.