Security Basics mailing list archives
Re: Cookie Security
From: Orlin Gueorguiev <orlin () baturov com>
Date: Wed, 30 Apr 2008 07:57:08 +0200
Hi Audrius,
Every respone generate a new token, which must be returned back to server on next request. Place this token into cookies, hidden fields, url, whatever, but server must get it back on next request. If next request comes without correct token, then over the session. This method also will help you avoid CSRF vulnerabilities.
According to wiki: ====== CSRF merely transmits unauthorized commands from a user the website trusts. For example, one user, Bob, might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references a script on Bob's bank's website (rather than an image file), e.g., <img src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory"> If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then Bob's browser's attempt to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval. ===== So... what I am asking myself how your consept can secure, that CSRF is not going to be exploited?
I know SSL is the "real" solution, but I wondered if anyone has attempted to secure this common system at an application level. perhaps not. if so thats fine.
Actually not... SSL is used to secure a virtual private connection between 2 instances. If I secure a connection to a site I can still exploit it via XSS. Orlin
Current thread:
- Cookie Security ellukicq (Apr 28)
- Re: Cookie Security Audrius (Apr 29)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Red Davies (Apr 29)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Jørgen Hovelsen (Apr 30)
- <Possible follow-ups>
- Re: Cookie Security waat (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Audrius (Apr 29)