Comments on: On CSRF http://www.greebo.net/2007/04/02/on-csrf/ mostly useless crap from me Sun, 21 Feb 2010 00:51:44 +0000 http://wordpress.org/?v=2.9 hourly 1 By: vanderaj http://www.greebo.net/2007/04/02/on-csrf/comment-page-1/#comment-7945 vanderaj Mon, 23 Apr 2007 00:42:33 +0000 http://www.greebo.net/?p=409#comment-7945 Louis, you're right. After talking this potential method over with some folks, it's not that much better than a random token; knowing a secret doesn't necessarily mean you can't force the Javascript to execute things via CSRF directed at the existing client-side JS. I still think a positional token would hamper all but the cleverest attacks, but this positional token doesn't require PKI, it just requires a random value. That would be of the same level of difficulty to attack as before. Andrew Louis,

you’re right. After talking this potential method over with some folks, it’s not that much better than a random token; knowing a secret doesn’t necessarily mean you can’t force the Javascript to execute things via CSRF directed at the existing client-side JS.

I still think a positional token would hamper all but the cleverest attacks, but this positional token doesn’t require PKI, it just requires a random value. That would be of the same level of difficulty to attack as before.

Andrew

]]> By: Louis van Ekert http://www.greebo.net/2007/04/02/on-csrf/comment-page-1/#comment-7827 Louis van Ekert Fri, 20 Apr 2007 00:34:32 +0000 http://www.greebo.net/?p=409#comment-7827 Hi Andrew, how are things? - I read your diary with interest and irregularly. Just a Q. re: rsToken = sign(serverPublicKey, destination Flow ID, Flow Step); are you implying that serverPublicKey is the signing key? If so, anyone (incl. attack zombies) could sign. Wouldn't you need some sort of shared secret to sign - like it is done in HMAC? All the best. Louis Hi Andrew, how are things? – I read your diary with interest and irregularly.
Just a Q. re: rsToken = sign(serverPublicKey, destination Flow ID, Flow Step);
are you implying that serverPublicKey is the signing key? If so, anyone (incl. attack zombies) could sign. Wouldn’t you need some sort of shared secret to sign – like it is done in HMAC?
All the best.
Louis

]]>