Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93232 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 47901 invoked from network); 11 May 2016 12:16:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 12:16:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.44 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.44 mail-wm0-f44.google.com Received: from [74.125.82.44] ([74.125.82.44:35543] helo=mail-wm0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 68/8A-28272-28223375 for ; Wed, 11 May 2016 08:16:03 -0400 Received: by mail-wm0-f44.google.com with SMTP id e201so216286416wme.0 for ; Wed, 11 May 2016 05:16:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=+olWzEj+KNEfrAcW52zFZErxb+YSR+tTZ0DkcAxyTV8=; b=PxLjbPsLWUJYiCYIMPrB0yCz8IiLwwXfj8plNU24+KjaOMrZclHJ0rjp40U5+nkn2R mf6TRbXlL3E0wt7ILsJ8V11eevGMXlWTbaYdV/gbyswzPdVqlOEnMoun99z/NVrHH1Mr sqYce/pbmsJqJ49EJGh8lK78ShC98Lev5SVLoGqEEm7uP8tN4Cb54RzvqHX76wWG1w5k 4oWkL/TmcWtM88/LSsrBEfEPP8Xp/wdJ9aYlJIibRPGqJqOGB6FULUbGEVuZ2wy9vFzO lLuzrdG1E+y4MUmqPyP9Z+j/uu974oHr12LiSgl1FsblxTlbQuXmbct9Bj3YxGlmXfqn pw2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=+olWzEj+KNEfrAcW52zFZErxb+YSR+tTZ0DkcAxyTV8=; b=Y8OYXx5JgNcJldxBhIhDmJkiSrjdOn/plOzN0kti61AJ1n6KLrKR3SSQekCXc2OZ6j vJH7zjDFyOIb5fNqgNgqPq7paKn+sBHgtIp/kGnCwg6SI57X2ItaGtdUKrmDwlMwLYeB ONFFmfNzpZP5BPxiqhAC4Eoc740MlQ7Pmk4GUlFDCMh8Dv5zJP0Cq5LG/6nS3YzhvsUI f5HFq/fgITCmp6jQwxGOb4oAIVXljd2RZVIB5LR+fvoN2AyQkRAi01o/xEqEFJcdmmtk x9hiVNaz5jCz2pS9dr/wuqX4Gd7Y9Bx8drfXcNI/M6FdccavfXiyuGa4HaycebY4mbwp QTHg== X-Gm-Message-State: AOPr4FUVP0lg5yp0+p4wNYloWxsO1R3iFrHZERiiyU5eBkFpYBnwjIyUOyy57OT2tE9GfA== X-Received: by 10.194.57.168 with SMTP id j8mr3418685wjq.43.1462968959974; Wed, 11 May 2016 05:15:59 -0700 (PDT) Received: from [192.168.0.98] ([93.188.182.58]) by smtp.gmail.com with ESMTPSA id iv1sm7806302wjb.34.2016.05.11.05.15.59 for (version=TLSv1/SSLv3 cipher=OTHER); Wed, 11 May 2016 05:15:59 -0700 (PDT) To: internals@lists.php.net References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Message-ID: <4667bb84-4401-4dd6-6193-fcf3aa6b3d48@gmail.com> Date: Wed, 11 May 2016 13:13:34 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: rowan.collins@gmail.com (Rowan Collins) On 11/05/2016 12:36, Kinn JuliĆ£o wrote: > You're making confusion between CSRF and Session Hijacking... In any moment > I mentioned about hijacking someone else's session, but to still being able > to CSRF (Cross Site Request Forgery). CSRF generally implies tricking an authenticated user into making a request using their own session. Without any form of token check, an identical request will be sent from any user, so you don't need to know anything about the user or their session to perform the attack - it can in fact be entirely passive, e.g. the src of an embedded in another page. With a CSRF token bound to each session, you can't perform a passive attack, because you need to first discover some information from their session, and target the attack. Without tricking the user into submitting the request with their own authentication, there is no forgery, and no attack. > Any other remote source would still be able to use your "example". A remote source would only be able to read their own CSRF token, not that of another user. If they are not authorised to submit the content, it is not the CSRF token's job to enforce that. > "A is using your own site's contact form, with a plotted csrf token as a > hidden field in the form, and the same stored in the session". > With your token solution for asynchronous requests: > "A is using your own site's contact form, with a csrf token remotely > requested, and the same stored in its session". All CSRF tokens are "remotely requested", in that they are sent from the server to the client's browser during a legitimate request. There is no difference in exposure between an HTML hidden input in the response to "GET /display_comment_form.php" and a JSON value in the response to "GET /generate_form_token.php". > "B is spamming your site's contact form, with a csrf token remotely > requested, and the same stored in its session". CSRF is not related to spam or rate limiting, it is related to impersonation. A spam bot can simply repeatedly request new HTML forms and scrape out the hidden input. Regards, -- Rowan Collins [IMSoP]