Home page logo
/

basics logo Security Basics mailing list archives

Re: Cookie Security
From: Audrius <organzarama () gmail com>
Date: Wed, 30 Apr 2008 18:24:19 +0300

2008/4/30 Orlin Gueorguiev <orlin () baturov com>:

 <img
 src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory";>

 If Bob's bank keeps his authentication information in a cookie, and if the
 cookie hasn't expired, then Bob's browser's attempt to load the image will
 submit the withdrawal form with his cookie, thus authorizing a transaction
 without Bob's approval.
 =====
 So... what I am asking myself how your consept can secure, that CSRF is not
 going to be exploited?

You already have answered your question using your "if's". Token can't
be in the cookies, because they are returned back on every request.
But if token will be used for example in an URL, then your method will
not work. But again, this technique will not work, if site will be
vulnerable to XSS. Most of security methods against CSRF doesn't work,
if site has XSS vulnerability. Then much better way is to use
something like captcha. Just ask user to do something before doing
important actions. But again, captcha can't be to complicated, because
you will have another problem. Usability of the website. :) Better
security always means less usability and to find the middle is quite
hard.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault