About tokens

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
cybz
Forum Newbie
Posts: 5
Joined: Fri Mar 06, 2009 4:05 pm

About tokens

Post by cybz »

I was thinking of a way to stop CSRF attacks. And the principle of tokens seems flawed in a way. The hacker could load up the page to generate the token and check the source code or cookies or wherever you put it, and then send it along with his spoofed data. Am I missing something? Is there a safe way to store the token so that it's not accessible to the user but still transfered through the form? What if you send the form with javascript and generate the token at that time, is that safe?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: About tokens

Post by kaisellgren »

cybz wrote:Am I missing something?
Yes. CSRF exploits the trust that the site has over the user. In your demonstration, you skipped it. When an attacker is doing a CSRF, the process goes through the victim, thus, such source reading is not possible unless the attacker has also managed to put some kind of malicious software on victim's computer or if the target website has other security holes such as XSS holes, in which case it does not matter if the attacker succeeds to do a CSRF.
cybz
Forum Newbie
Posts: 5
Joined: Fri Mar 06, 2009 4:05 pm

Re: About tokens

Post by cybz »

Ok perhaps i was not exact about the term CSRF, I was more speaking of forgeries in general, not necessarily passing through a victim.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: About tokens

Post by kaisellgren »

The fact is, you cannot force anyone to submit POST data through your "form". There is no such thing. Tokens will make sure that under normal situations (no cracking), the form is submitted through your form, which prevents CSRF.

I am not sure what are you looking for?
cybz
Forum Newbie
Posts: 5
Joined: Fri Mar 06, 2009 4:05 pm

Re: About tokens

Post by cybz »

Indeed I was looking for a way to make sure that the data came from my form and nowhere else. I guess I was too ambitious.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: About tokens

Post by kaisellgren »

cybz wrote:Indeed I was looking for a way to make sure that the data came from my form and nowhere else.
Of course the user can submit the data from anywhere. The point of tokens in forms is to make sure that no attacker can make the victim to submit data.
cybz
Forum Newbie
Posts: 5
Joined: Fri Mar 06, 2009 4:05 pm

Re: About tokens

Post by cybz »

Here's an idea:

User fill out form and click the send button (which triggers javascript rather than send the form)
Javascript opens http request to generate token
If operation was a success, send form with the data and the token
The server-side file checks if the token is valid, and executes its operations
Javascript opens another request to delete the token

That would be pretty hard to crack now wouldn't it :)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: About tokens

Post by kaisellgren »

cybz wrote:Here's an idea:

User fill out form and click the send button (which triggers javascript rather than send the form)
Javascript opens http request to generate token
If operation was a success, send form with the data and the token
The server-side file checks if the token is valid, and executes its operations
Javascript opens another request to delete the token

That would be pretty hard to crack now wouldn't it :)
Sorry, it would not be.

I have no time to go deeper into that, but it is rather easy to connect to the site and evaluate the same operations as what the JavaScript does.

Seriously. Think about Firefox. Why would any other software or crackers not be able to operate JavaScript or just execute the necessary procedures? I just grab Firefox source and customize it into my own cracking tool. Phew, it is far easier than that actually.

More over, having a protection yields in nothing. You would need to use a defense, which does not exist for this.
cybz
Forum Newbie
Posts: 5
Joined: Fri Mar 06, 2009 4:05 pm

Re: About tokens

Post by cybz »

You are right, dang! I guess there's no way around it.
Post Reply