Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection

Wed, 11 May 2016 06:43:28 -0700 

On 11/05/2016 14:07, Kinn Julião wrote:

So following your example then.
You could place an HTML page on a completelu different site... maybe
this page:
https://gist.github.com/kinncj/6ad5f5ef8d8c36eb5f844fb802a67b7a#file-attacker_example_net
:-)


Neither of the files in that gist are demonstrating CSRF as such.


attacker_example_net is bypassing the Same Origin Policy; it 
hand-wavingly pre-supposes a misconfiguration which allows this, 
including sending the user's cookies with the cross-domain request. Note 
that if the first XHR can successfully generate a CSRF token, then you 
don't need an <img> tag, since a second XHR to the rewritten URL will 
succeed. At this point, you have a far stronger attack footprint than 
normal CSRF anyway, because you can access privileged data and 
arbitrarily impersonate the user in a 2-way conversation with the server.



supersafe.com_img.jpg is simply a spam script. The request to 
http://example.com/contact.php is coming from the server hosting the 
site, and doesn't impersonate anybody. If the form requires the user to 
have previously authenticated, this will simply fail, because it never 
authenticates as anybody. If your implication is that you've tricked 
somebody else's *server* into executing this code, that's yet another 
type of attack, and there are much worse things you could do with the 
ability to run arbitrary code on their server.




As I mentioned in comments there:
/*
From this point, this attack will only work if:
1 - CORS is missconfigured
*/



Yes. As OWASP says, to protect against CSRF, one must first protect 
against XSS. However, protecting against XSS does not protect against 
CSRF, so token-checking or similar countermeasures are still necessary.




If the user must be responsible to secure it properly, why should be this magic 
added to the core?



I'm not convinced it should be in the core, but "some users will have 
XSS vulnerabilities" is not a good reason for it not to be.



Regards,
--
Rowan Collins
[IMSoP]

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
























					Reply via email to