[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Suggestions for the CSRF FAQ

From: "John Terrill" <jterrill@xxxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Suggestions for the CSRF FAQ
Date: Mon, 29 Jan 2007 15:11:34 -0500 (EST)

Stefan,

Its true that an email verification step would defeat CSRF in some cases
but I don't see that being very practical. It also leaves the web app
arena and assumes that no one has access to your mail server, local box,
or the traffic on your local network. Not to mention that an email is
almost always going to be plain text.

In reference to most CAPTCHA's, if an XSS attack exists, then a captcha
can be defeated due to bi-directional channels where an attacker could
solve the captcha remotely.

What are you talking about when you mention the cross-domain policy? A
cross-domain policy is intended to expand the access of an application,
not to restrict it. The cross-domain restrictions in the browser already
do that.


-- 
John Terrill
CTO - EMT LLC
1 Penn Plaza, Suite 3600
New York, NY 10119
T) 1-212-835-1557
C) 1-404-797-3865
http://www.em-technology.net

>
>> *** Before you start adding CSRF protection ***
>>
>> The first step in protecting your application against CSRF is to fix
>> any cross-site scripting vulnerabilities.  If your application is
>> vulnerable to XSS, CSRF protection is not possible.  Javascript
>> malware will defeat whatever protection you put in place.
> It is simply not true that XSS makes CSRF protection impossible.
> First of all there is always the good old e-mail verification that
> protects against unintended requests.
> Then it should be perfectly possible to create a 2 phase system that
> shows a CAPTCHA to the user that additionally to the 'passkey' contains
> information about the action (so that JS malware does not simply change
> the action on the fly)
> And then there are different complicated but feasible techniques
> (ab)using the cross domain policy against XSS malware.
>
> Stefan Esser
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Suggestions for the CSRF FAQ
  - From: Stefan Esser

References:
- [WEB SECURITY] Suggestions for the CSRF FAQ
  - From: Brian Eaton
- Re: [WEB SECURITY] Suggestions for the CSRF FAQ
  - From: Stefan Esser

Prev by Date: Re: [WEB SECURITY] Suggestions for the CSRF FAQ
Next by Date: [WEB SECURITY] Defeating CAPTCHAs via Averaging (fwd)
Previous by thread: Re: [WEB SECURITY] Suggestions for the CSRF FAQ
Next by thread: Re: [WEB SECURITY] Suggestions for the CSRF FAQ
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site