Field names are transported in exactly the same manner as their values, so no cigar.kaisellgren wrote: Instead of placing a CSRF token in GET/POST, I place it in the form field name.
CSRF Tokens In Cookies.
Moderator: General Moderators
Re: CSRF Tokens In Cookies.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: CSRF Tokens In Cookies.
Like I said, he's not paying me for this due to this reason. But if we are specific, I am not submitting token in GET or POST, im submitting token in a GET parameter which is submitted in GET.Mordred wrote:Field names are transported in exactly the same manner as their values, so no cigar.kaisellgren wrote: Instead of placing a CSRF token in GET/POST, I place it in the form field name.
Anyway. I guess I have to give up.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: CSRF Tokens In Cookies.
Update:
OWASP and Wikipedia is suggesting a new approach of using cookies to protect from CSRF. They suggest that a JS will read the cookie and put it into the form automatically. This of course does not work if HTTPOnly is enabled.
Read more: http://manicode.blogspot.com/2009/02/do ... e-and.html
OWASP and Wikipedia is suggesting a new approach of using cookies to protect from CSRF. They suggest that a JS will read the cookie and put it into the form automatically. This of course does not work if HTTPOnly is enabled.
Read more: http://manicode.blogspot.com/2009/02/do ... e-and.html
Re: CSRF Tokens In Cookies.
It's an interesting approach, but in my opinion it does not satisfy the conditions of your bet because ultimately the anti-CSRF token is still submitted via POST or GET.kaisellgren wrote:They suggest that a JS will read the cookie and put it into the form automatically.
Re: CSRF Tokens In Cookies.
He already lost his bet...André D wrote:It's an interesting approach, but in my opinion it does not satisfy the conditions of your bet because ultimately the anti-CSRF token is still submitted via POST or GET.kaisellgren wrote:They suggest that a JS will read the cookie and put it into the form automatically.