-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 corvid wrote:
Justus wrote:
Perhaps we should be more careful when to send out a cookie. What about not sending cookies with image requests, if the host of the image url is different from the one in the main page? What do other browser do about this? Yes, I think this is the way to go. One need to decide when to send out authentication credentials (legitimate session) and when to strip them (CSRF attempt). Martin Johns and I developed a firefox extension [0]
Johannes Hofmann wrote: that does exactly this. Please see [1] pages 29 - 37 or [2] for more information. [1] is also a pretty good introduction to CSRF. Please note that the browser independent proxy solution is deprecated (but should work unless the twisted framework changed its api too much) and the firefox extension is somewhat unmaintained at the moment...
Having done some reading now: So for an HTTP redirect or an image request, A->B, I gather up the cookies that I would send when asking for B and discard those that I would not send if I were asking for A? I am not sure I understand your question.
The basic csrf scenario is the following: 1. you log in to some web application hosted at good.org 2. with the same browser instance using another window or tab (or you just forget to log out and reused the same window) you visit evil.org 3. evil.org hosts an html page that triggers an request to good.org, either using an image/script/style/object/whatever tag in case of an GET request or using an form and javascript / css to submit the form 4. your browser sends any authentication credentials like cookies along with the request since they are associated with the target host thus allowing evil.org to change the state of your good.org account on your behalf The proper thing to do is to fix this on the server side, but since csrf isn't as widely known as xss many web applications are vulnerable to this problem. Justus -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI5h9woPmwNWhsaZYRAiGUAJ42ZuicB6aYGYkrjDZj2lSRpB6h1QCcCJ38 +zhCOeq1aO0Q747/tfeAQoU= =4QtQ -----END PGP SIGNATURE-----