[pLog-svn] Anti CSRF solution

[Reto Hugi]

Hi Matt

Thank you for your - once again - very helpful support on this list
regarding security.

On 11/25/2007 11:21 PM, Matt Wood wrote:
> The second highlights a security flaw that many web applications
> currently have (trusting any HTTP requests "if" a user is logged in).
> But it is also rather difficult to exploit unless the user is foolish,
> or there are other vulnerabilities in the LT domain and have a
> targeted attacker.

In case of LT-based communities with features like "authenticated"
comments on other blogs within the same site, it's "easier" than on
stand alone blogs, to modify or delete an other users post with CRSF. In
fact we had a report on bugs.lifetype.net
(http://bugs.lifetype.net/view.php?id=1410). That's why the discussion
started.

> The second attack is what CSRFx attempts to solve. However, since the
> nonces CSRFx uses are valid on any URL within 30 minutes the
> protection it provides is minimal.

Thanks for pointing this out. I haven't even realized that one.

> This type of nonce protection
> should be tightly coupled with the action with which it is associated
> (as per what Reto hinted at).

Yes, Mark and I agreed, that I'll implement a PoC on the current trunk
to test what we could do.

> The functional benefits of an implementation like this would include:
> a way to limit actions to only being executed once (For example,
> double posting or something similar), enforcing request action
> execution order (think ajax), and probably more.

I'd like to use nonces tightly bound to an action within the context of
the users last presented view. I know about the ajax double-post
validation, but I'm not very happy with that idea from a technical
design view and I haven't seen it implemented in a real world app so
far. (If you know one, let me know)

I'd be glad if you could review our PoC, once we're ready.

cheers, reto