-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Sep 30, 2008 at 12:56:05PM +0000, corvid wrote:
Cross site request forgery is the one where the bad person sticks an image tag or some javascript or whatever on a page, and your privileges are used to do something.
Johannes Hofmann wrote:
To me the cross site request forgery issue looks more like an issue of the cookie system.
No. CSRF is caused by browsers sending authentication credentials implicitly with every request to an host. Those credentials might be cookies, http AUTH headers, ssl client certificates or even your IP address in some (stupid) intranet solutions. Joerg Sonnenberger wrote:
There's nothing wrong with that. Such an image URL is a simple GET request. Any web application doing a modification is broken by design and there are good reasons for allowing such URLs. The problem is allowing POST actions to a different site than the one issuing it.
This is true, GET requests shouldn't be state changing. But there are ways to create POST requests automatically (most ''active content'' can do this) or by tricking the user into clicking on the submit button by styling them via css (this is called "clickjacking" nowadays... yay for more buzzwords) and using some social engineering ("click the monkey to win big $$$). Disallowing cross domain POST requests seems very restrictive but would solve the problem. Johannes Hofmann wrote:
Perhaps we should be more careful when to send out a cookie. What about not sending cookies with image requests, if the host of the image url is different from the one in the main page? What do other browser do about this?
Yes, I think this is the way to go. One need to decide when to send out authentication credentials (legitimate session) and when to strip them (CSRF attempt). Martin Johns and I developed a firefox extension [0] that does exactly this. Please see [1] pages 29 - 37 or [2] for more information. [1] is also a pretty good introduction to CSRF. Please note that the browser independent proxy solution is deprecated (but should work unless the twisted framework changed its api too much) and the firefox extension is somewhat unmaintained at the moment... Justus 0: http://www.nongnu.org/requestrodeo/ 1: http://www.informatik.uni-hamburg.de/SVS/personnel/martin/psj06johns-e.pdf 2: http://www.informatik.uni-hamburg.de/SVS/papers/2006_owasp_RequestRodeo.pdf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI41/IoPmwNWhsaZYRAhXNAJ0WbzFz51LEObLbF8/oEPkUuZtT4ACfbCNG KDOXrmHCAOyhR15a+p5tgR0= =Kokv -----END PGP SIGNATURE-----