[pLog-svn] Anti CSRF solution

Mark Wu markplace at gmail.com
Sun Nov 25 23:36:09 EST 2007


Hi Matt:

It is okay. You don't need to apologize :P

I think it can be a good reference for us that a general solution for CSRF
is possible. 

But, is it okay for LT? I don't think so...

We maybe need rewrite some or all of them to adapt our session based admin
panel...

I think actions, forms, forms validator modifcations are needed.

Mark

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Matt Wood
> Sent: Monday, November 26, 2007 6:22 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] Anti CSRF solution
> 
> On Nov 25, 2007 4:26 PM, Ahmad Saleh <ahmadfds at gmail.com> wrote:
> > Hi Matt
> >
> > I just have some questions and some notes about what you say here.
> >
> > > 2. Does not protect against CSRF attacks from your site, 
> it infact 
> > > will release your "sensative" token to any actual CSRF attacks.
> >
> > What do you mean by "from your site"  ??
> >
> >
> > >
> > > 3. This will also likely confuse search engine crawlers.
> >
> > As Mark say, it just for admin pages, so there is no confusing for 
> > search engine.
> >
> 
> The aim of this script is to make certain pages (and their 
> metadata) inaccessible in subsequent requests, whether it be 
> from a link on your site or a link from any other site by 
> requiring a specific nonce to be present in the request to that page.
> 
> I didn't read the whole thread, so my apologies to Mark. If 
> this is just for the admin pages, then I also have to say 
> this would be an esoteric layer of security. However the 
> inclusion of a nonce into our admin actions might have a few 
> useful functional side effects.
> 
> Since LT has session based authentication, there are only two 
> real threats via CSRF to the admin section: one would be the 
> theft of the session id (via cookie or other means); the 
> other would be a user that is currently logged-into LT 
> clicking or visiting a page with a very targeted malicious 
> request (delete a post).
> 
> The first is infeasible without specific web application 
> vulnerabilities... since without malicious javascript 
> execution within the LT installations domain (or some browser 
> flaw), or in other words a full blown XSS vulnerability, the 
> theft of the session id (via
> cookie) is much harder.
> 
> The second highlights a security flaw that many web 
> applications currently have (trusting any HTTP requests "if" 
> a user is logged in).
> But it is also rather difficult to exploit unless the user is 
> foolish, or there are other vulnerabilities in the LT domain 
> and have a targeted attacker.
> 
> The second attack is what CSRFx attempts to solve. However, 
> since the nonces CSRFx uses are valid on any URL within 30 
> minutes the protection it provides is minimal. This type of 
> nonce protection should be tightly coupled with the action 
> with which it is associated (as per what Reto hinted at).
> 
> The functional benefits of an implementation like this would include:
> a way to limit actions to only being executed once (For 
> example, double posting or something similar), enforcing 
> request action execution order (think ajax), and probably more.
> 
> -Matt
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn



More information about the pLog-svn mailing list