Difference between revisions of "Talk:Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
(Is this statement really correct?)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Don't post theoretical attacks,  or "here say" on any OWASP page. ==
 
== Don't post theoretical attacks,  or "here say" on any OWASP page. ==
  
Look people. A referer check is a valid form of protection and is currently being used to stop the most dangerous CSRF vulnerability ever discovered (according to the DHS: http://www.kb.cert.org/vuls/id/643049).  If you think it be exploitedPROVE IT.  Stop spreading clearly false information on OWASP.  
+
If you edit this page, please provide a rational.  If you make a mindless edit without rationalizationit maybe reverted.
  
Write an exploit and show me that it worksThen you can change the owasp wiki.
+
A referer check is a valid form of protection and is currently being used to stop the most dangerous CSRF vulnerability ever discovered (according to the DHS: http://www.kb.cert.org/vuls/id/643049).  If you think it be exploited,  PROVE IT.  Stop spreading clearly false information on OWASP.
 +
 
 +
==Is this statement really correct?==
 +
''This means that while an attacker can send any value he wants with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie.
 +
''
 +
 
 +
This seems incorrect.  An attacker can modify cookies from a sibling domain.  See https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf for examples.  Thus double-submit csrf cookie should also be checked for some tie to the logged in session so that it can't just be pushed in.
 +
 
 +
Jim July 27, 2014: What about "''This means that while an attacker can send any value he wants with a malicious CSRF request, the attacker would be unable to modify or read the value stored in the cookie other than via cross site scripting. (And cross site scripting resistance is a requirement for good CSRF defense to begin with."
 +
 
 +
--[[User:David Ohsie|David Ohsie]] ([[User talk:David Ohsie|talk]]) 09:47, 30 July 2014 (CDT) I don't think that this is 100% accurate eitherCookies can be written via CSS in a sibling domain, so that even if the application in not vulnerable to CSS, if the sibling domain application is vulnerable to CSS, or is simply not trustworthy, cookies can be written.  Cookies can also be written via MITM attacks on http.  So the application in question can be completely "secure", but it's cookies can be tampered with anyhow.  That is why the paper referenced above suggests that the CSRF token must in some way be tied to the user's session or identity and the "naive" double submit method is vulnerable.  At the very least, with naive double submit, the application should check to make sure that there is only one CSRF token cookie value as this will mitigate some attempts to write the cookie from another domain.
 +
 
 +
Jim July 30, 2014: Ok I got it. Can you make your change live in the document itself to clarify this? Or hey, the entire CSRF Defense cheat sheet needs to be fully re-written and made more concise and more of a "cheat" for developers. Are you interested in taking this over? Aloha! Ps: I'm jim@owasp.org if you want to take this to email.
 +
 
 +
--[[User:David Ohsie|David Ohsie]] ([[User talk:David Ohsie|talk]]) 11:45, 31 July 2014 (CDT)I'll take a crack at editing, although I don't know if I am capable of doing a rewrite. I didn't want to make any changes without some prior discussion.
 +
 
 +
Jim July 31 2014, Thank you - any help is appreciated. I'm happy to discuss any changes you wish to make. I think this entire page needs a re-do, but happy to do that one change at a time. Aloha!

Latest revision as of 14:34, 31 July 2014

Don't post theoretical attacks, or "here say" on any OWASP page.

If you edit this page, please provide a rational. If you make a mindless edit without rationalization, it maybe reverted.

A referer check is a valid form of protection and is currently being used to stop the most dangerous CSRF vulnerability ever discovered (according to the DHS: http://www.kb.cert.org/vuls/id/643049). If you think it be exploited, PROVE IT. Stop spreading clearly false information on OWASP.

Is this statement really correct?

This means that while an attacker can send any value he wants with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie.

This seems incorrect. An attacker can modify cookies from a sibling domain. See https://media.blackhat.com/eu-13/briefings/Lundeen/bh-eu-13-deputies-still-confused-lundeen-wp.pdf for examples. Thus double-submit csrf cookie should also be checked for some tie to the logged in session so that it can't just be pushed in.

Jim July 27, 2014: What about "This means that while an attacker can send any value he wants with a malicious CSRF request, the attacker would be unable to modify or read the value stored in the cookie other than via cross site scripting. (And cross site scripting resistance is a requirement for good CSRF defense to begin with."

--David Ohsie (talk) 09:47, 30 July 2014 (CDT) I don't think that this is 100% accurate either. Cookies can be written via CSS in a sibling domain, so that even if the application in not vulnerable to CSS, if the sibling domain application is vulnerable to CSS, or is simply not trustworthy, cookies can be written. Cookies can also be written via MITM attacks on http. So the application in question can be completely "secure", but it's cookies can be tampered with anyhow. That is why the paper referenced above suggests that the CSRF token must in some way be tied to the user's session or identity and the "naive" double submit method is vulnerable. At the very least, with naive double submit, the application should check to make sure that there is only one CSRF token cookie value as this will mitigate some attempts to write the cookie from another domain.

Jim July 30, 2014: Ok I got it. Can you make your change live in the document itself to clarify this? Or hey, the entire CSRF Defense cheat sheet needs to be fully re-written and made more concise and more of a "cheat" for developers. Are you interested in taking this over? Aloha! Ps: I'm jim@owasp.org if you want to take this to email.

--David Ohsie (talk) 11:45, 31 July 2014 (CDT)I'll take a crack at editing, although I don't know if I am capable of doing a rewrite. I didn't want to make any changes without some prior discussion.

Jim July 31 2014, Thank you - any help is appreciated. I'm happy to discuss any changes you wish to make. I think this entire page needs a re-do, but happy to do that one change at a time. Aloha!