Re: CSRF Protection: double submitted cookie

2008-10-22 Thread Jörn Zaefferer
I've created a ticket and attached a reference implementation: https://issues.apache.org/jira/browse/WICKET-1885 Jörn On Mon, Oct 20, 2008 at 11:31 PM, Jörn Zaefferer [EMAIL PROTECTED] wrote: The double-submitted-cookie isn't related to double submit protection, no. Thats a completely

RE: CSRF Protection: double submitted cookie

2008-10-22 Thread Zappaterrini, Larry
-forgery-attacks If I am not mistaken. -Original Message- From: Jörn Zaefferer [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 22, 2008 8:05 AM To: users@wicket.apache.org Subject: Re: CSRF Protection: double submitted cookie I've created a ticket and attached a reference implementation

Re: CSRF Protection: double submitted cookie

2008-10-20 Thread Nino Saturnino Martinez Vazquez Wael
for me +1 if it does not interfere with other stuff. Jörn Zaefferer wrote: Hi, my application currently uses CryptedUrlWebRequestCodingStrategy to protect against CRSF attacks. Afaik 1.3.5 will include an update that generates the key based on user sessions:

Re: CSRF Protection: double submitted cookie

2008-10-20 Thread Johan Compagner
what i dont get if an attacker wants to submit the form. and it can get to the form it can do the post but you say it cant access the cookie. But if the cookie value is just compared to the form post value we have to make sure that the name of the cookie cant be guessed right? So what should the

Re: CSRF Protection: double submitted cookie

2008-10-20 Thread Jörn Zaefferer
No, the cookie is subject to the same-origin-policy, both in reading and writing. The request is authenticated because the session cookie is set, but its invalid when the form itself is missing the value. Combining the attack with XSS would give access to the cookie, but then he could just as well

Re: CSRF Protection: double submitted cookie

2008-10-20 Thread Jörn Zaefferer
I've looked at CSRFGuard, the approach has several of the drawbacks described in the paper. Its much less effective then the double-submitted-cookie, eg. it involves buffering and rewriting the response to modify forms. It generates values for each rendered form and stores it in the user session

Re: CSRF Protection: double submitted cookie

2008-10-20 Thread Johan Compagner
hmm i will read the paper then I stil dont get it how it is possible with 1 cookie, that then can never change when it is first generated and all the forms also just have that value right? But it is also for double submit protection right? So the cookie has to change right? But how can you then

Re: CSRF Protection: double submitted cookie

2008-10-20 Thread Nino Saturnino Martinez Vazquez Wael
Ahh, a no go for their filter then. The idea are very nice though. Jörn Zaefferer wrote: I've looked at CSRFGuard, the approach has several of the drawbacks described in the paper. Its much less effective then the double-submitted-cookie, eg. it involves buffering and rewriting the response to

Re: CSRF Protection: double submitted cookie

2008-10-20 Thread Nino Saturnino Martinez Vazquez Wael
I found this interesting: Don't forget OWASP CSRFTester and CSRFGuard http://freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks#comment-100619 Comment by Jeff Williams http://www.owasp.org on September 29th, 2008 at 9:53 am. OWASP has made two

Re: CSRF Protection: double submitted cookie

2008-10-20 Thread Nino Saturnino Martinez Vazquez Wael
Hmm and what about nested forms? Johan Compagner wrote: hmm i will read the paper then I stil dont get it how it is possible with 1 cookie, that then can never change when it is first generated and all the forms also just have that value right? But it is also for double submit protection