[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Defeating nonce/token based CSRF protection

From: Zinho <zinho@xxxxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Defeating nonce/token based CSRF protection
Date: Thu, 17 Apr 2008 20:17:43 +0200

You're right Jeroen, That's why I believe that strong CAPTCHA's are more robust than tokens (nonces). The problem with CAPTCHA's is that they are not always practicable. I've worked to fix CSRF problems into Joomla and such new CMS are full of ajax features and toggle buttons that are meant to increase usability and, at least in the case of CSRF, decrease security. Another solution would be to ask for further user authentication (login again) before performing "sensitive" actions. Anyway, in my opinion, there is so little attention to CSRF from web developers that every time I see the use of tokens into the web application I pen test, it seems a miracle to me.

--
----
Zinho

Webmaster and Founder

Hackers Center Internet Security Portal www.hackerscenter.com


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: RE: [WEB SECURITY] Defeating nonce/token based CSRF protection
Next by Date: Re: [WEB SECURITY] Defeating nonce/token based CSRF protection
Previous by thread: Re: [WEB SECURITY] Defeating nonce/token based CSRF protection
Next by thread: [WEB SECURITY] RE: Defeating nonce/token based CSRF protection
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site