Menu
I am reading the tutorial at
http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
It states
Remember - you must never rely on the sessionID sent to your server in the cookie header ; look only at the sessionID that your GWT app sends explicitly in the payload of messages to your server.
Is it use to prevent http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics
With this mythology, is it sufficient enough to prevent to above attack?
703
Cross-site request forgery is an example of a confused deputy attack against a web browser because the web browser is tricked into submitting a forged request by a less privileged attacker. CSRF commonly has the following characteristics: It involves sites that rely on a user's identity.
Definition. Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user.
It can result in damaged client relationships, unauthorized fund transfers, changed passwords and data theft—including stolen session cookies.
CSRF token is tied to a non-session cookie The attacker can log in to the application using their own account, obtain a valid token and associated cookie, leverage the cookie-setting behavior to place their cookie into the victim's browser, and feed their token to the victim in their CSRF attack.
Yes, it is sufficient to prevent Cross Site Request Forgery.
The sessionid in the cookie cannot be trusted. Say a user is logged on to mysite.com and session id is in the cookie. Now the user clicks on a link to evilsite.com. evilsite.com has code like this
<img src="http://mysite.com/transfermoney.jsp?amount=1000.." />
The browser will make a request to mysite.com, and it will also send along the cookie with the session id. The thing to understand here is that evilsite.com cannot read the cookie, but it can still get its job done.
Browser same-origin policy prevents evilsite.com from reading the session identifier whether its in the cookie or embedded in html page. But because browser automatically sends the cookie to your server even if the resource was requested from the html code in another domain, you have XSRF.
To prevent this, it is recommended to put the session identifier as a request parameter. If its added as a request parameter, evilsite.com cannot access the identifier, and hence cannot put it in the img src attribute.
However, do remember that if your site has XSS vulnerabilities, nothing can prevent you from XSRF. Put it another way, if you have XSS vulnerabilities, an attacker wouldn't even care about doing XSRF.
130
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
