Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Security Basics: Re: Cookie Security

Re: Cookie Security

From: Orlin Gueorguiev <orlin_at_baturov.com>
Date: Sat, 3 May 2008 02:24:38 +0200

Ðа Wednesday 30 April 2008 17:24:19 Audrius напиÑа:
> 2008/4/30 Orlin Gueorguiev <orlin_at_baturov.com>:
> > <img
> >
> > src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory"
> >>
> >
> > If Bob's bank keeps his authentication information in a cookie, and if
> > the cookie hasn't expired, then Bob's browser's attempt to load the image
> > will submit the withdrawal form with his cookie, thus authorizing a
> > transaction without Bob's approval.
> > =====
> > So... what I am asking myself how your consept can secure, that CSRF is
> > not going to be exploited?
>
> You already have answered your question using your "if's". Token can't
> be in the cookies, because they are returned back on every request.
> But if token will be used for example in an URL, then your method will
> not work. But again, this technique will not work, if site will be
> vulnerable to XSS. Most of security methods against CSRF doesn't work,
> if site has XSS vulnerability. Then much better way is to use
> something like captcha. Just ask user to do something before doing
> important actions. But again, captcha can't be to complicated, because
> you will have another problem. Usability of the website. :) Better
> security always means less usability and to find the middle is quite
> hard.

Lets take the classical situation: We have 3 persons: Alice (the attacked
person), Bob (the bank) and Eve (the hacker).
So... Eve crafts a web page, that tries to exploit a CSRF vulnerability and
steal money from anybody, who opens the page and has a non-expired cookie to
Bob (the bank). So Alice opens the page and she logs with her own computer
and credentials to the bank and send the money. Now... because SHE logs
there, and not Eve, this means that anything saved on her computer can be
used to log in there, so exchanging tokens would not work.
Even if you use a token, that is beeing randomly generated, if the process of
generation is simulated using CSRF, it would not really matter if you use
such a token. So... this is why I was asking why you how/why does this token
help prevent CSRF?

Cheers,
Orlin
Received on May 05 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]