Page 1 of 1
About tokens
Posted: Fri Mar 06, 2009 4:16 pm
by cybz
I was thinking of a way to stop CSRF attacks. And the principle of tokens seems flawed in a way. The hacker could load up the page to generate the token and check the source code or cookies or wherever you put it, and then send it along with his spoofed data. Am I missing something? Is there a safe way to store the token so that it's not accessible to the user but still transfered through the form? What if you send the form with javascript and generate the token at that time, is that safe?
Re: About tokens
Posted: Fri Mar 06, 2009 4:31 pm
by kaisellgren
cybz wrote:Am I missing something?
Yes. CSRF exploits the trust that the site has over the user. In your demonstration, you skipped it. When an attacker is doing a CSRF, the process goes through the victim, thus, such source reading is not possible unless the attacker has also managed to put some kind of malicious software on victim's computer or if the target website has other security holes such as XSS holes, in which case it does not matter if the attacker succeeds to do a CSRF.
Re: About tokens
Posted: Fri Mar 06, 2009 4:54 pm
by cybz
Ok perhaps i was not exact about the term CSRF, I was more speaking of forgeries in general, not necessarily passing through a victim.
Re: About tokens
Posted: Fri Mar 06, 2009 5:00 pm
by kaisellgren
The fact is, you cannot force anyone to submit POST data through your "form". There is no such thing. Tokens will make sure that under normal situations (no cracking), the form is submitted through your form, which prevents CSRF.
I am not sure what are you looking for?
Re: About tokens
Posted: Fri Mar 06, 2009 5:05 pm
by cybz
Indeed I was looking for a way to make sure that the data came from my form and nowhere else. I guess I was too ambitious.
Re: About tokens
Posted: Fri Mar 06, 2009 5:08 pm
by kaisellgren
cybz wrote:Indeed I was looking for a way to make sure that the data came from my form and nowhere else.
Of course the user can submit the data from anywhere. The point of tokens in forms is to make sure that no attacker can make the victim to submit data.
Re: About tokens
Posted: Fri Mar 06, 2009 5:23 pm
by cybz
Here's an idea:
User fill out form and click the send button (which triggers javascript rather than send the form)
Javascript opens http request to generate token
If operation was a success, send form with the data and the token
The server-side file checks if the token is valid, and executes its operations
Javascript opens another request to delete the token
That would be pretty hard to crack now wouldn't it

Re: About tokens
Posted: Fri Mar 06, 2009 5:26 pm
by kaisellgren
cybz wrote:Here's an idea:
User fill out form and click the send button (which triggers javascript rather than send the form)
Javascript opens http request to generate token
If operation was a success, send form with the data and the token
The server-side file checks if the token is valid, and executes its operations
Javascript opens another request to delete the token
That would be pretty hard to crack now wouldn't it

Sorry, it would not be.
I have no time to go deeper into that, but it is rather easy to connect to the site and evaluate the same operations as what the JavaScript does.
Seriously. Think about Firefox. Why would any other software or crackers not be able to operate JavaScript or just execute the necessary procedures? I just grab Firefox source and customize it into my own cracking tool. Phew, it is far easier than that actually.
More over, having a protection yields in nothing. You would need to use a defense, which does not exist for this.
Re: About tokens
Posted: Fri Mar 06, 2009 5:30 pm
by cybz
You are right, dang! I guess there's no way around it.