About tokens
Moderator: General Moderators
About tokens
I was thinking of a way to stop CSRF attacks. And the principle of tokens seems flawed in a way. The hacker could load up the page to generate the token and check the source code or cookies or wherever you put it, and then send it along with his spoofed data. Am I missing something? Is there a safe way to store the token so that it's not accessible to the user but still transfered through the form? What if you send the form with javascript and generate the token at that time, is that safe?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: About tokens
Yes. CSRF exploits the trust that the site has over the user. In your demonstration, you skipped it. When an attacker is doing a CSRF, the process goes through the victim, thus, such source reading is not possible unless the attacker has also managed to put some kind of malicious software on victim's computer or if the target website has other security holes such as XSS holes, in which case it does not matter if the attacker succeeds to do a CSRF.cybz wrote:Am I missing something?
Re: About tokens
Ok perhaps i was not exact about the term CSRF, I was more speaking of forgeries in general, not necessarily passing through a victim.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: About tokens
The fact is, you cannot force anyone to submit POST data through your "form". There is no such thing. Tokens will make sure that under normal situations (no cracking), the form is submitted through your form, which prevents CSRF.
I am not sure what are you looking for?
I am not sure what are you looking for?
Re: About tokens
Indeed I was looking for a way to make sure that the data came from my form and nowhere else. I guess I was too ambitious.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: About tokens
Of course the user can submit the data from anywhere. The point of tokens in forms is to make sure that no attacker can make the victim to submit data.cybz wrote:Indeed I was looking for a way to make sure that the data came from my form and nowhere else.
Re: About tokens
Here's an idea:
User fill out form and click the send button (which triggers javascript rather than send the form)
Javascript opens http request to generate token
If operation was a success, send form with the data and the token
The server-side file checks if the token is valid, and executes its operations
Javascript opens another request to delete the token
That would be pretty hard to crack now wouldn't it
User fill out form and click the send button (which triggers javascript rather than send the form)
Javascript opens http request to generate token
If operation was a success, send form with the data and the token
The server-side file checks if the token is valid, and executes its operations
Javascript opens another request to delete the token
That would be pretty hard to crack now wouldn't it
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: About tokens
Sorry, it would not be.cybz wrote:Here's an idea:
User fill out form and click the send button (which triggers javascript rather than send the form)
Javascript opens http request to generate token
If operation was a success, send form with the data and the token
The server-side file checks if the token is valid, and executes its operations
Javascript opens another request to delete the token
That would be pretty hard to crack now wouldn't it
I have no time to go deeper into that, but it is rather easy to connect to the site and evaluate the same operations as what the JavaScript does.
Seriously. Think about Firefox. Why would any other software or crackers not be able to operate JavaScript or just execute the necessary procedures? I just grab Firefox source and customize it into my own cracking tool. Phew, it is far easier than that actually.
More over, having a protection yields in nothing. You would need to use a defense, which does not exist for this.
Re: About tokens
You are right, dang! I guess there's no way around it.