[pLog-svn] Anti CSRF solution

Matt Wood matt at woodzy.com
Tue Nov 27 10:24:00 EST 2007


Checking the Referer is never sufficient.
- In the case that someone can get you to execute javascript, the
referer is easily changed to whatever the attacker wants.

What specifically should I elaborate on Mark?

The one-time token Reto has already implemented, will enforce the
single execution of an action, assuming this token is invalidated
after the action is executed (probably the best way to do that is in
the session variables).

The forced order of execution follows from the single execution of an
action. You simply chain the logic here and force subsequent requests
to have the previous one-time tokens as well. This set of chained
single requests ensures that the order of the requests is preserved.
The problem this is trying to solve is as follows: If ajax requests
are done out of order by a user (or skipped), this could potentially
cause problems.

On Nov 27, 2007 5:54 AM, Mark Wu <markplace at gmail.com> wrote:
> Go! Go! Reto!
>
> > -----Original Message-----
> > From: plog-svn-bounces at devel.lifetype.net
> > [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
> > Sent: Tuesday, November 27, 2007 6:51 PM
> > To: 'LifeType Developer List'
> > Subject: Re: [pLog-svn] Anti CSRF solution
> >
>
> > hi mark
> >
> > Mark Wu wrote:
> >
> > > I think modification adminaction is easy, but you have to
> > add  hidden
> > > input to all forms we want to protect, then that's not a
> > fun job .. :P
> >
> > yes I know. We've got quite a lot of forms to work through...
> >
> >
> > > Take the deleteComment for example, in lifetype we use
> > > "deleteComments" to delete multiplut comments at the same
> > time, it is
> > > a http post request, and we also use "deleteComment" to delete  one
> > > comment in each time, and it is http "get" request.
> >
> > ah, good point. That is the case on many requests. Maybe we
> > should really think about what we can to in the requestgenerators...
> >
> > Oh well, I'll think about it and surely be glad for help and
> > feedback here and there. we'll see if I find an "easy" way to
> > implement all that.
> >
> > reto
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>


More information about the pLog-svn mailing list