Re: Form Security

From: "Chris Shiflett" <shiflett@xxxxxxxxx>
Date: 21 Mar 2006 16:58:34 -0800

Pardon my intrusion, but I hope to clarify the topic being disputed.

Jerry Stuckle wrote:

I know *exactly* how auto-form-submission works. In fact, from your
posts here I expect I know a lot more about it than you do. I've been
in this field too many years. What you describe is only *one way* it can
happen. And it's not even the most common.

I'm always disappointed to see ego impact professional discourse. More
importantly, the "one way" Chung Leong describes is a type of attack
called cross-site request forgeries (CSRF), and the safeguard he
recommends is better than you seem to think.

Code can offer clarity, so consider a simple HTML form:

<form action="http://example.org/fire.php"; method="POST">
<input type="text" name="employee" />
<input type="submit" value="FIRE" />
</form>

If I am authorized to fire employees, then a request sent by me to fire
a particular employee is successful. A CSRF attack would cause me to
send such a request without my knowledge.

Now, imagine that either of the following safeguards are implemented:

1. A unique, one-time token is included in the form as a hidden form
field as well as stored in my session. A request to fire an employee is
only considered valid if the token in the request matches the one in
the session.

2. Referer is checked. An optimal implementation would take into
account whether my browser typically includes Referer, but let's assume
it does.

Now, if you really think Chung Leong is wrong, you should be able to
demonstrate a CSRF attack that is successful despite such safeguards.
You might be right, but only proof will convince me.

.

Follow-Ups:
- Re: Form Security
  - From: Jerry Stuckle

References:
- Form Security
  - From: Scott
- Re: Form Security
  - From: Chung Leong
- Re: Form Security
  - From: Jerry Stuckle
- Re: Form Security
  - From: Chung Leong
- Re: Form Security
  - From: Jerry Stuckle

Prev by Date: Re: How to convert HTML special characters to the real characters with a Java script
Next by Date: Re: Retrieve fields with similar values from 2 tables?
Previous by thread: Re: Form Security
Next by thread: Re: Form Security
Index(es):
- Date
- Thread

Relevant Pages

Re: Ideas or direction needed for approval path
... is the organizational hierarchy of your organization currently stored? ... assuming that each person only has to pass their request to one person ... This is the process that an employee would go through to get vacation time ... their supervisor (the supervisor will be notified by e-mail about this ...
(microsoft.public.dotnet.general)
Re: Ideas or direction needed for approval path
... allow employees to request personnel actions (for example, ... This is the process that an employee would go through to get vacation time ... The employee would log in to a web site and click on a menu ... their supervisor (the supervisor will be notified by e-mail about this ...
(microsoft.public.dotnet.general)
Re: Risk of Redirecting Email.
... I have seen on some clients of mine, that when an employee leaves the ... they request IT to redirect their emails to a particular ... there would be nothing keeping the former employee from sending ...
(Pen-Test)
RE: MSACCESS - SUB FORM
... up to track documents and relate them to employees who I assume are ... - EXIT RE-ENTRY REQUEST ... more suggestive names for your tables wouldn't hurt, for example "Employee" ... > how can I design this four different windows to get once I press each button. ...
(microsoft.public.access.tablesdbdesign)
Re: Missing Fields from report
... then created a form based upon the Request table. ... the requesting Employee table are Employee, Extension, Department. ... in my Request table nor in any reports I generate listing the requests. ...
(microsoft.public.access.reports)