security - Tricky question for good understanding of CSRF -


my friend , have pari beer.

from wikipedia:

requiring secret, user-specific token in form submissions , side-effect urls prevents csrf; attacker's site cannot put right token in submissions

the atacker can use browser cookies indirectly, can't use them directly! that's why can't put cookies link using document.write()

let how logout link generated. secure way? can request faked?

function logout(){      echo '<a href="?action=logout&sid='.htmlspecialchars($_cookie['sid']).'>logout</a>'; }

sid session id, generated every session

on server side, following checking performed:

$_get['sid']==$_cookie['sid']

absolutely not! never use session identifiers csrf protection.

as far why? well, answer simple. doing opens door session hijacking attacks. imagine copies , pastes link reason email or onto web. now, person on other end of email has session identifier of session. sure, if click link won't activate session, knows doing still able use it.

and don't use secret cookie either. cookies transmitted on every request. mere existence of cookie not verify user intended make request.

how instead? follow owasp recommendations. use unique, random token that's issued on each request , associated session. verify token valid on submission , invalidate token! should one-time-use token only. have submitted form, , not attached link directly...


Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more