[pLog-svn] crsf preventer?
Jon Daley
plogworld at jon.limedaley.com
Mon Oct 6 12:50:23 EDT 2008
Thanks. I didn't want to take the time to read about it.
On Mon, 6 Oct 2008, Matt Wood wrote:
> This "protection" is not sufficient. It only protects POST requests...
>
> The library basically is an example of a method to protect forms against csrf attacks with a nonce. It is more
> difficult to subvert because it requires the attacker to request the page and get the nonce (which can be done in
> some circumstances...).
>
> There are a few problems:
> - Cookies can be leaked, I'd much rather seen a session variable doing this.
> - This "library" uses phps' provable non-random rand() to generate the nonce. See Stefan Esser's work on that...
> - This "library" basically is one function, and could be written better by someone that knows the site they are
> trying to protect.
> - There should be time limits of the nonce's life based on the time one expects the page to exist.
>
> -Matt
>
> On Thu, Oct 2, 2008 at 1:05 AM, Jon Daley <plog at jon.limedaley.com> wrote:
> Anyone know about this code?
>
> http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks
>
> --
> Jon Daley
> http://jon.limedaley.com
> ~~
> Maybe we're too stupid. Maybe there's an algorithm out there and
> we're just not getting it. It's a possibility.
> -- Professor Tygar
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
>
>
>
--
Jon Daley
http://jon.limedaley.com
~~
Life is too important to be taken seriously.
-- Oscar Wilde
More information about the pLog-svn
mailing list