Page 2 of 2
Re: CSRF Tokens In Cookies.
Posted: Tue Feb 03, 2009 7:47 am
by Mordred
kaisellgren wrote: Instead of placing a CSRF token in GET/POST, I place it in the form field name.
Field names are transported in exactly the same manner as their values, so no cigar.
Re: CSRF Tokens In Cookies.
Posted: Tue Feb 03, 2009 11:19 am
by kaisellgren
Mordred wrote:kaisellgren wrote: Instead of placing a CSRF token in GET/POST, I place it in the form field name.
Field names are transported in exactly the same manner as their values, so no cigar.
Like I said, he's not paying me for this due to this reason. But if we are specific, I am not submitting token in GET or POST, im submitting token in a GET parameter which is submitted in GET.
Anyway. I guess I have to give up.

Re: CSRF Tokens In Cookies.
Posted: Sun Feb 08, 2009 8:27 am
by kaisellgren
Update:
OWASP and Wikipedia is suggesting a new approach of using cookies to protect from CSRF. They suggest that a JS will read the cookie and put it into the form automatically. This of course does not work if HTTPOnly is enabled.
Read more:
http://manicode.blogspot.com/2009/02/do ... e-and.html
Re: CSRF Tokens In Cookies.
Posted: Sun Feb 08, 2009 9:38 pm
by André D
kaisellgren wrote:They suggest that a JS will read the cookie and put it into the form automatically.
It's an interesting approach, but in my opinion it does not satisfy the conditions of your bet because ultimately the anti-CSRF token is still submitted via POST or GET.
Re: CSRF Tokens In Cookies.
Posted: Mon Feb 09, 2009 2:09 am
by exesteam
André D wrote:kaisellgren wrote:They suggest that a JS will read the cookie and put it into the form automatically.
It's an interesting approach, but in my opinion it does not satisfy the conditions of your bet because ultimately the anti-CSRF token is still submitted via POST or GET.
He already lost his bet...