<div dir="ltr">This "protection" is not sufficient. It only protects POST requests...<br><br>The library basically is an example of a method to protect forms against csrf attacks with a nonce. It is more difficult to subvert because it requires the attacker to request the page and get the nonce (which can be done in some circumstances...).<br>
<br>There are a few problems:<br>- Cookies can be leaked, I'd much rather seen a session variable doing this.<br>- This "library" uses phps' provable non-random rand() to generate the nonce. See Stefan Esser's work on that...<br>
- This "library" basically is one function, and could be written better by someone that knows the site they are trying to protect.<br>- There should be time limits of the nonce's life based on the time one expects the page to exist.<br>
<br>-Matt<br><br><div class="gmail_quote">On Thu, Oct 2, 2008 at 1:05 AM, Jon Daley <span dir="ltr"><<a href="mailto:plog@jon.limedaley.com">plog@jon.limedaley.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Anyone know about this code?<br>
<br>
<a href="http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks" target="_blank">http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks</a><br>
<br>
-- <br>
Jon Daley<br>
<a href="http://jon.limedaley.com" target="_blank">http://jon.limedaley.com</a><br>
~~<br>
Maybe we're too stupid. Maybe there's an algorithm out there and<br>
we're just not getting it. It's a possibility.<br>
-- Professor Tygar<br>
_______________________________________________<br>
pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net" target="_blank">pLog-svn@devel.lifetype.net</a><br>
<a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br>
</blockquote></div><br></div>