[pLog-svn] crsf preventer?
Matt Wood
matt at woodzy.com
Mon Oct 6 10:50:38 EDT 2008
This "protection" is not sufficient. It only protects POST requests...
The library basically is an example of a method to protect forms against
csrf attacks with a nonce. It is more difficult to subvert because it
requires the attacker to request the page and get the nonce (which can be
done in some circumstances...).
There are a few problems:
- Cookies can be leaked, I'd much rather seen a session variable doing this.
- This "library" uses phps' provable non-random rand() to generate the
nonce. See Stefan Esser's work on that...
- This "library" basically is one function, and could be written better by
someone that knows the site they are trying to protect.
- There should be time limits of the nonce's life based on the time one
expects the page to exist.
-Matt
On Thu, Oct 2, 2008 at 1:05 AM, Jon Daley <plog at jon.limedaley.com> wrote:
> Anyone know about this code?
>
>
> http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks
>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> Maybe we're too stupid. Maybe there's an algorithm out there and
> we're just not getting it. It's a possibility.
> -- Professor Tygar
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://limedaley.com/pipermail/plog-svn/attachments/20081006/869b1fc7/attachment.htm>
More information about the pLog-svn
mailing list