Security Basics mailing list archives
Re: Cookie Security
From: Audrius <organzarama () gmail com>
Date: Wed, 30 Apr 2008 18:24:19 +0300
2008/4/30 Orlin Gueorguiev <orlin () baturov com>:
<img src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory"> If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then Bob's browser's attempt to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval. ===== So... what I am asking myself how your consept can secure, that CSRF is not going to be exploited?
You already have answered your question using your "if's". Token can't be in the cookies, because they are returned back on every request. But if token will be used for example in an URL, then your method will not work. But again, this technique will not work, if site will be vulnerable to XSS. Most of security methods against CSRF doesn't work, if site has XSS vulnerability. Then much better way is to use something like captcha. Just ask user to do something before doing important actions. But again, captcha can't be to complicated, because you will have another problem. Usability of the website. :) Better security always means less usability and to find the middle is quite hard.
Current thread:
- Cookie Security ellukicq (Apr 28)
- Re: Cookie Security Audrius (Apr 29)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Orlin Gueorguiev (Apr 30)
- Re: Cookie Security Red Davies (Apr 29)
- Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Jørgen Hovelsen (Apr 30)
- <Possible follow-ups>
- Re: Cookie Security waat (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 29)
- Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Re: Re: Cookie Security ellukicq (Apr 30)
- Re: Re: Cookie Security Audrius (Apr 30)
- Re: Cookie Security Audrius (Apr 29)