This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Testing for CSRF (OTG-SESS-005)"

From OWASP
Jump to: navigation, search
m (Andrew Muller moved page Talk:Testing for CSRF (OWASP-SM-005) to Talk:Testing for CSRF (OTG-SESS-005): Align with Common Numbering)
 
(3 intermediate revisions by 3 users not shown)
Line 2: Line 2:
 
<br>
 
<br>
 
Good Call. Jeff has made the changes. [[User:Mmeucci|Matteo Meucci]] 20.00, 18 Janaury 2007
 
Good Call. Jeff has made the changes. [[User:Mmeucci|Matteo Meucci]] 20.00, 18 Janaury 2007
 +
 +
== Point 3 needs to be clarified ==
 +
 +
Point 3 states "Point 3) By “known by the browser” we mean information such as cookies or http-based authentication information (such as Basic Authentication; NOT form-based authentication)..."
 +
 +
Form-based authentication in its generic sense, means that we initially perform authentication via a form. If we do this, our session ID can be stored in a non-persistent cookie (e.g., session cookie), which is still vulnerable to CSRF attacks since they are automatically sent along with every request. I think implying that form-based authentication is secure is inaccurate. The only time form-based authN is safe from CSRF is if session cookies are not used and the session ID is rewritten in the URL (though this is another vulnerability in itself).
 +
 +
== Rererrer ==
 +
 +
I removed referrer usage recommendation because we should not recommend referrer checking by any means.
 +
 +
First reason it's known to be suspected to spoof attacks (already mentioned), Secondly rejecting empty referrers will cause to block legitimate users by mistake therefore developers will accept empty referrers as well which is even easier bypass as an attacker. Therefore as OWASP we should not recommend a bad practice to developers.

Latest revision as of 14:19, 31 July 2014

This chapter really should be called Cross site request forgeries. Session riding is becoming old skool. Vanderaj 20:25, 15 January 2007 (EST)
Good Call. Jeff has made the changes. Matteo Meucci 20.00, 18 Janaury 2007

Point 3 needs to be clarified

Point 3 states "Point 3) By “known by the browser” we mean information such as cookies or http-based authentication information (such as Basic Authentication; NOT form-based authentication)..."

Form-based authentication in its generic sense, means that we initially perform authentication via a form. If we do this, our session ID can be stored in a non-persistent cookie (e.g., session cookie), which is still vulnerable to CSRF attacks since they are automatically sent along with every request. I think implying that form-based authentication is secure is inaccurate. The only time form-based authN is safe from CSRF is if session cookies are not used and the session ID is rewritten in the URL (though this is another vulnerability in itself).

Rererrer

I removed referrer usage recommendation because we should not recommend referrer checking by any means.

First reason it's known to be suspected to spoof attacks (already mentioned), Secondly rejecting empty referrers will cause to block legitimate users by mistake therefore developers will accept empty referrers as well which is even easier bypass as an attacker. Therefore as OWASP we should not recommend a bad practice to developers.