Re: [WEB SECURITY] Suggestions for the CSRF FAQ

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

On 1/28/07, Stefan Esser <sesser@xxxxxxxxxxxxxxxx> wrote:
> It is simply not true that XSS makes CSRF protection impossible.
> First of all there is always the good old e-mail verification that
> protects against unintended requests.

Great point, transactional authentication can fix the problem.  You
would have to be careful about allowing changes to the contact
information for the out-of-band confirmation.  For example, if the JS
malware has the ability to change the e-mail address to which the
confirmation is sent, that would break the scheme.

> Then it should be perfectly possible to create a 2 phase system that
> shows a CAPTCHA to the user that additionally to the 'passkey' contains
> information about the action (so that JS malware does not simply change
> the action on the fly)

What if the JS malware sends the captcha to the attacker instead of
the intended recipient?

> And then there are different complicated but feasible techniques
> (ab)using the cross domain policy against XSS malware.

I don't see how this is possible, but that doesn't mean it's
impossible.  What's your proposal?

Regards,
Brian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]