Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93188 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56276 invoked from network); 11 May 2016 02:56:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 02:56:34 -0000 Authentication-Results: pb1.pair.com smtp.mail=kinncj@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=kinncj@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.173 as permitted sender) X-PHP-List-Original-Sender: kinncj@gmail.com X-Host-Fingerprint: 209.85.220.173 mail-qk0-f173.google.com Received: from [209.85.220.173] ([209.85.220.173:34398] helo=mail-qk0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 35/80-63163-16F92375 for ; Tue, 10 May 2016 22:56:34 -0400 Received: by mail-qk0-f173.google.com with SMTP id r184so18366473qkc.1 for ; Tue, 10 May 2016 19:56:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=PMlLn1L1CfMzmApmWWFoMT6wHpqMOlORerLJiKY3n0w=; b=K/ukDG4JCEWoKLhqexVOmnKNB86bhky8KnStcskefa5eGYudMS88ekQE1QLjr9DPJC q9wAkiSoZQNbyD8KVX7haP+QEY6aytCFcnJRHP38vByEHAGWq0QbApIkK1/vHv5uNtfa lM+ZWf+mzLQ15xmfJ5t87Mv7nNkSmCBJPqhcFlz9zjwHenTTKR1fmmVpv/UNqCZs7pqR b9SIteMB9N2T7fBdgPFLNXmpgwkJBuaDTts53ePlkQjKXuGkzF6prr/n6+7I5iU4npYX oa3zRVlNwOq14OyfenSR0tlvJF7T2iEADGMdeBg8nVDe/A8dFdmOivpuR7+TLBhPQakY G72g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=PMlLn1L1CfMzmApmWWFoMT6wHpqMOlORerLJiKY3n0w=; b=S6jGF9/AzDSlmFDyc5Ug3516CIfrDHygIc5iFkdAa6hY4XOnye26UXaX2q7aAtCkrp j8I4ZqoYNgaiepegq7A1/bAjSfLRyba9Mt6ZFpnrC1hqun/Pb7fVMzljjPRJacJ1N1xu g5oonv60pV1gIOVHWrkC6VfbHB+2Nhblo9GT6pvrl6QYbi2UZkE/Z2dkobcbz8zMXNyG Gw6199fmqVocn0VeUYTDNnZSYObbjxI26AdQJ59pA7kh4/rrinMfIoVkzK7bmpjEk1Wa pLTNrN0Drz2HaAoPCHjKnJAAqh9egoQrKbahzh7lSHd55qCr6gIh3tRsdApZKHu0PCxV Dgxw== X-Gm-Message-State: AOPr4FVvPE3FePotL9VvoIS46EWWSXtfHOfSgZfIgD7oKtRAkNzcdcUAtGyh92gUMdeiCCYNDNA/4mib88/fIg== MIME-Version: 1.0 X-Received: by 10.55.150.5 with SMTP id y5mr943630qkd.144.1462935391804; Tue, 10 May 2016 19:56:31 -0700 (PDT) Received: by 10.237.36.147 with HTTP; Tue, 10 May 2016 19:56:31 -0700 (PDT) Received: by 10.237.36.147 with HTTP; Tue, 10 May 2016 19:56:31 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Date: Tue, 10 May 2016 22:56:31 -0400 Message-ID: To: Yasuo Ohgaki Cc: internals@lists.php.net, Stanislav Malyshev Content-Type: multipart/alternative; boundary=94eb2c08b1e85ba738053288305b Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: kinncj@gmail.com (=?UTF-8?B?S2lubiBKdWxpw6Nv?=) --94eb2c08b1e85ba738053288305b Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable The point with your example is: The cross site can request the "get_csrf_token.php", store on its session (even curl can save the session id cookie or whatever), get the token and request the endpoint with the retrieved token and session id. Got it? On May 10, 2016 10:53 PM, "Kinn Juli=C3=A3o" wrote: > You seemed to misunderstood your own "get_csrf_token.php" and how > attackers would benefit from that. > > Anyway, you're trying to transfer an application behaviour to the core... > Stick to -1. > On May 10, 2016 10:18 PM, "Yasuo Ohgaki" wrote: > >> Hi Kinn, >> >> On Wed, May 11, 2016 at 10:20 AM, Kinn Juli=C3=A3o wr= ote: >> >> JS code that does not have pages at all may obtain CSRF token manuall= y. >> > >> > That's against CSRF protection... in fact, a remote app can obtain the >> token >> > also and make the cross site request forgery... >> > >> > -1 >> >> You seem to __misunderstood__ behavior. >> >> Random CSRF token generation key is stored in session data which is >> private to users. >> CSRF token is generated by using the secret key. >> >> Therefore, attacker cannot get CSRF token unless they have stolen >> session already (which is not scope of this RFC) >> >> Regards, >> >> -- >> Yasuo Ohgaki >> yohgaki@ohgaki.net >> > --94eb2c08b1e85ba738053288305b--