[pLog-svn] crsf preventer?
Reto Hugi
plog at hugi.to
Mon Oct 6 17:00:59 EDT 2008
On 10/06/2008 04:50 PM, Matt Wood wrote:
> This "protection" is not sufficient. It only protects POST requests...
> The library basically is an example of a method to protect forms against
> csrf attacks with a nonce. It is more difficult to subvert because it
> requires the attacker to request the page and get the nonce (which can
> be done in some circumstances...).
Absolutely agree. I once started with a csrf-branch, and I didn't come
very far. But, here some feedback, just in case someone would be
interested in supporting me... :)
> There are a few problems:
> - Cookies can be leaked, I'd much rather seen a session variable doing this.
that's what I've done
> - This "library" uses phps' provable non-random rand() to generate the
> nonce. See Stefan Esser's work on that...
hmmm, forgott about that, but I remember hashing a string based on a
timestamp and a secret (configurable) - problably even worse, now that
i'm thinking of it...
> - This "library" basically is one function, and could be written better
> by someone that knows the site they are trying to protect.
The LT implementation needs to be added to the specific action classes
and thus protects exactly what needs to be protected.
> - There should be time limits of the nonce's life based on the time one
> expects the page to exist.
the nonce lives as long as the session lives.
cheers,
reto
More information about the pLog-svn
mailing list