Re: Form Security
- From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
- Date: Tue, 21 Mar 2006 21:48:07 -0500
Chris Shiflett wrote:
Pardon my intrusion, but I hope to clarify the topic being disputed.
Jerry Stuckle wrote:
I know *exactly* how auto-form-submission works. In fact, from your
posts here I expect I know a lot more about it than you do. I've been
in this field too many years. What you describe is only *one way* it can
happen. And it's not even the most common.
I'm always disappointed to see ego impact professional discourse. More
importantly, the "one way" Chung Leong describes is a type of attack
called cross-site request forgeries (CSRF), and the safeguard he
recommends is better than you seem to think.
Code can offer clarity, so consider a simple HTML form:
<form action="http://example.org/fire.php"; method="POST">
<input type="text" name="employee" />
<input type="submit" value="FIRE" />
</form>
If I am authorized to fire employees, then a request sent by me to fire
a particular employee is successful. A CSRF attack would cause me to
send such a request without my knowledge.
Now, imagine that either of the following safeguards are implemented:
1. A unique, one-time token is included in the form as a hidden form
field as well as stored in my session. A request to fire an employee is
only considered valid if the token in the request matches the one in
the session.
2. Referer is checked. An optimal implementation would take into
account whether my browser typically includes Referer, but let's assume
it does.
Now, if you really think Chung Leong is wrong, you should be able to
demonstrate a CSRF attack that is successful despite such safeguards.
You might be right, but only proof will convince me.
That's fine if you use data kept in a session. But just using HTTP_REFER is not a good way to do it. Whether it's set or not is immaterial - it may be missing, or it can be forged quite easily.
I can easily write some PHP code (or Java, C/C++ or whatever) which will simulate submission from your page. Not hard to do at all.
And BTW - I'm disappointed in the tone used by Chung Leong. I suspect I've been doing this a hell of a lot longer than he has - and been programming longer than he's been alive. I don't like people who talk down to me. But it's also not the first time I've seen him do this to people who disagree with him.
As for actually writing the program to do it - it's not worth my time or bother. But I've written similar programs to run performance tests on web servers. It's not hard to do at all if you understand the protocol. You don't even need to use Curl.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.
- Follow-Ups:
- Re: Form Security
- From: Chris Shiflett
- Re: Form Security
- References:
- Form Security
- From: Scott
- Re: Form Security
- From: Chung Leong
- Re: Form Security
- From: Jerry Stuckle
- Re: Form Security
- From: Chung Leong
- Re: Form Security
- From: Jerry Stuckle
- Re: Form Security
- From: Chris Shiflett
- Form Security
- Prev by Date: Re: Parsing and replacing in PHP
- Next by Date: Re: Retrieve fields with similar values from 2 tables?
- Previous by thread: Re: Form Security
- Next by thread: Re: Form Security
- Index(es):
Relevant Pages
|
