[nycphp-talk] prevention of csrf attack
Chris Shiflett
shiflett at php.net
Tue Dec 23 14:16:54 EST 2003
--- felix zaslavskiy <felix at students.poly.edu> wrote:
>
> > At any rate, this particular weakness is easily resolved by making
> > the token only shared between the server and the legitimate user
> > (rather than just keeping a pool of valid tokens). By storing this
> > value in the user's session, it requires that the attacker guess
> > that user's specific token.
>
> That only complicates things a little because now the attacker has to
> retrive the secret token using the session id of the user. So the
> first fake request has to be to request the form page grabe the token
> and then resubmit second fake request with the token.
Well, now you're combining attacks and making a very big assumption: that
the session management mechanism is weak. If someone can impersonate the
legitimate user, a CSRF attack is not even necessary, so no intelligent
attacker is going to bother trying after that point. CSRF attacks are
generally only useful when impersonation is more difficult.
To clarify this, recall that CSRF attacks are basically a way to trick the
legitimate user into sending a request of your choosing. If you can make
the application believe that you are the legitimate user, there is no
longer any need for CSRF, because you can now do whatever you want, and
the application will mistake your identity.
I recently wrote an article about session security in PHP Magazine that
you can download for free from http://www.phpmag.net/ssl/phppdf/.
Hope that helps.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
More information about the talk
mailing list