Re: Cookie Security

[Orlin Gueorguiev <orlin () baturov com>]

Hi Audrius,
> Every respone generate a new token, which must be returned back to server on
> next request. Place this token into cookies, hidden fields, url,
> whatever, but server must get it back on next request. If next request
> comes without correct token, then over the session. This method also
> will help you avoid CSRF vulnerabilities. 
According to wiki:
======
CSRF merely transmits unauthorized commands from a user the website trusts.
For example, one user, Bob, might be browsing a chat forum where another user, 
Mallory, has posted a message. Suppose that Mallory has crafted an HTML image 
element that references a script on Bob's bank's website (rather than an 
image file), e.g.,

<img 
src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory";>

If Bob's bank keeps his authentication information in a cookie, and if the 
cookie hasn't expired, then Bob's browser's attempt to load the image will 
submit the withdrawal form with his cookie, thus authorizing a transaction 
without Bob's approval.
=====
So... what I am asking myself how your consept can secure, that CSRF is not 
going to be exploited?


> I know SSL is the "real" solution, but I wondered if anyone has attempted
> to secure this common system at an application level. perhaps not. if so
> thats fine.
Actually not... SSL is used to secure a virtual private connection between 2 
instances. If I secure a connection to a site I can still exploit it via XSS.

Orlin