Geek Answers Handbook

Difficult question for a good understanding of CSRF

My friend and I have a bet on beer.

From Wikipedia:

Requires a secret, user-specific token in all forms and side URLs prevent CSRF; attacker site cannot token in its messages

An attacker can use browser cookies indirectly, but he cannot use them directly! Therefore, it cannot put cookies in a link using document.write()

Let's see how the link to exit the system is created. Is this a safe way? Can this GET request be tampered with?

 function logout(){ echo '<a href="?action=logout&sid='.htmlspecialchars($_COOKIE['sid']).'>Logout</a>'; }

sid is the session identifier generated for each session

on the server side the following check is performed:

 $_GET['sid']==$_COOKIE['sid']
+8
security xss
source share
4 answers

Absolutely not ! Never use session identifiers to protect CSRF.

How much why? Well, the answer is simple. This opens the door to capture the session . Imagine that someone is copying and pasting a link for some reason into email or the Internet. Now the person at the other end of the letter has a session identifier for that session. Of course, if they click on the link, it will not activate the session, but someone who knows what they are doing will still be able to use it.

And do not use a secret cookie. Cookies are transferred for each request. Thus, the mere existence of a cookie does not verify that the user intended to make a request.

How to do it? Follow the recommendations of OWASP . Use a unique random token that is issued for each request and associated with the session. Then check that the token is valid when sent, and then invalidates the token ! It must be a one-time token. Submit it in a form and are not attached directly to the link ...

+4
source share

This intrinsically safe security system is immune to CSRF . The reason for this is that in the event of a CSRF attack, the browser monitors the cookie, so the attacker does not need to know the cookie value when creating it. If this proposed security system is vulnerable to CSRF, an exploit such as the following proof of concept will exit the browser:

<img src=http://victim_site/index.php?action=logout&sid= />

Obviously, in this case, the SID requires a value, and the attacker cannot get this value without using XSS, which makes this point controversial. Using xss, an attacker can read the CSRF token to request requests. This was used in the MySpace worm Sammy .

Use of a cookie is a valid but weaker form of CSRF protection. One of the problems is that it completely undermines the http_only cookie . Ideally, the CSRF token and session ID should be Cryptographic nonce . However, it is safer to have their individual meanings.

+3
source share

Change This answer is at least partially erroneous. Using a session identifier as a CSRF token can lead to session hijacking if, for example, links are copied + pasted. See Reply and comments by ircmaxell.

Yes, since the session identifier is random and associated with the user, it will be an acceptable form of CSRF protection.

However, it would be even safer to use a different random number, in order to prevent malicious JavaScript from stealing the session cookie (and session ID) ... But if I had to choose between โ€œno CSRF tokenโ€ and โ€œsession ID as CSRF token, I always select a session as a CSRF token.

The only potential problem with using session identifiers as CSRF tokens: if someone could steal a CSRF token, they could also capture a connected session ... But I can't think of a reasonable scenario where this could be a problem.

Now, from a discussion of Marc Bโ€™s answer below: using nonce , other benefits will be provided (e.g. preventing form re-submission) ... But this is no more secure for CSRF attacks than the session identifier (with one caveat, which I mention in first paragraph of the second).

See also: CSRF Verifier: Is Session ID Safe?

+2
source share

But what about stopping someone from editing the HTML code that you submit, as well as the cookie that you also sent? Both are under user control.

With firebug, I can trivially change the contents of any page, as well as any cookie.

Now, if you changed the version so that SERVER stores this identifier, then it would be harder to hack ...

 $_SESSION['form_token'] = 's33krit valu3'; if ($_POST['form_token'] == $_SESSION['form_token']) { ... everything ok ... }

Since the session data is stored on the server, it is much safer from the hands of an attacker than trusting an attacker who does not want to modify the cookie.

You owe your friend a beer.

-4
source share

More articles:


All Articles