Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93233
Return-Path: <kinncj@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 49533 invoked from network); 11 May 2016 12:23:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 May 2016 12:23:01 -0000
Authentication-Results: pb1.pair.com header.from=kinncj@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=kinncj@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.178 as permitted sender)
X-PHP-List-Original-Sender: kinncj@gmail.com
X-Host-Fingerprint: 209.85.220.178 mail-qk0-f178.google.com  
Received: from [209.85.220.178] ([209.85.220.178:34442] helo=mail-qk0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A1/EA-28272-42423375 for <internals@lists.php.net>; Wed, 11 May 2016 08:23:00 -0400
Received: by mail-qk0-f178.google.com with SMTP id r184so23719904qkc.1
        for <internals@lists.php.net>; Wed, 11 May 2016 05:23:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=RkivQ/uDjw3Nv/ATZj1qttciqgr7IR4P7M/CegjoiNg=;
        b=ad6KVs9ne5qKd3LChKDCX9fzyUePSgpXaHrLol5uf3zIIn/dPt/W18ZYMHRVKD9H4e
         EYRiNZG7MUx65mXSXCiYO9VksdkVltJwPpN/6zsJMHFWvdTK89XFoyCZ0xBVlfBaOeFU
         IXVlLRZBv+tgU2n1vwDNu9tYZaiV15jJTJgS/+XnFh0E3vt1tUKBWE4SNALY9/wAweaT
         +FonfMlYHWrSot3U3rw+OEm5cjihhU26UUMRNTzyRm8u68JbB0tu0OktnbKDWsYk3OXz
         PDiRRgZZTQz+VgmXERgB37aqEQpvjiqV+DpkRAcT3cri+VWrfz26uEicVBGpOsjVw5qm
         eO5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=RkivQ/uDjw3Nv/ATZj1qttciqgr7IR4P7M/CegjoiNg=;
        b=IZQiC34ipQcOw8a0XBVN5UW8oF0LtWTrfgoXkjNcdqosoGpzOiSgcUJHCDYwFzklLV
         bYweP7Ym9HftgEwxr7hNRmU9vMIuVgvCbGQaxg/65ZitbXyb60IBuXZSUXh40Gaov98K
         +noIFxXg/IX/37QdXf+1Tfwd3dcwRXDFp+FbFS7q9WkKelwwf3KkmhokqBVLzMsYXGgc
         0MHGrbMipq/p5RG/+KvebLqTkyNqNtlKS8lDyXYMMmIhFnWB+nKcR/kDnshDmgRKrOrW
         eDb+WOj5BTYOmKR2Uj2PEbmFCab2+mupaGcvR5JBmj12hTPDE6Fg4iquc8eFmjM1kb2k
         HJOg==
X-Gm-Message-State: AOPr4FVEVt7tdjhD7Mz5SBnb5uxlihaavds4EeZAZ6jOhADj269n2dwoi/st4mVICzgDjL4+4yzB2U/GbNbCjg==
MIME-Version: 1.0
X-Received: by 10.55.172.78 with SMTP id v75mr2316040qke.45.1462969377760;
 Wed, 11 May 2016 05:22:57 -0700 (PDT)
Received: by 10.237.36.147 with HTTP; Wed, 11 May 2016 05:22:57 -0700 (PDT)
Received: by 10.237.36.147 with HTTP; Wed, 11 May 2016 05:22:57 -0700 (PDT)
In-Reply-To: <4667bb84-4401-4dd6-6193-fcf3aa6b3d48@gmail.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
	<c21d1d4b-a790-e1a9-7c93-2c5af4baf5d1@gmail.com>
	<CAGa2bXboop3KDFnYtcdO-K+hL0To5te_yeHeFEFO-kCVuzNOJQ@mail.gmail.com>
	<3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com>
	<CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
	<CANUQDChxOeydBRLPrvuumf+edqJNKV+TOstGz66X_tg+Y7knPQ@mail.gmail.com>
	<CAGa2bXZC8Qp8-Ggyfj5+0X5aiktSX_AyfRdKAPXFZ=x4+A1XDQ@mail.gmail.com>
	<CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
	<CAL0xaBFTF28h7ZTCkk=gn2=kepv0xe_Gk0+zjhmZzDmLJYU3-w@mail.gmail.com>
	<CAGa2bXbX_YhpJEr+9XjTb3xxgb2KTw=LEjC97A0vM4_WNiSvnA@mail.gmail.com>
	<CAL0xaBF8e7PhY_hqNYwNvxwRiha1=rUtLBfugUNC2FGf2FndzA@mail.gmail.com>
	<CAF+u_ByFOKd+CyCO5yO_2aSYf2GhLrqb6oLHcvKuNF6W7E+YGg@mail.gmail.com>
	<4667bb84-4401-4dd6-6193-fcf3aa6b3d48@gmail.com>
Date: Wed, 11 May 2016 08:22:57 -0400
Message-ID: <CAF+u_BxxZ-xG2cS-C97qx+WNccryd_0xvhgPbvdqfe7F_8mL0g@mail.gmail.com>
To: Rowan Collins <rowan.collins@gmail.com>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary=001a114f03e4142e880532901a5a
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: kinncj@gmail.com (=?UTF-8?B?S2lubiBKdWxpw6Nv?=)

--001a114f03e4142e880532901a5a
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

> CSRF is not related to spam or rate limiting, it is related to
impersonation. A spam bot can simply repeatedly request new HTML forms and
scrape out the hidden input.

The Spam bot was just an example, contering his own example.

And it still a cross site request... Either if it comes from a bot or not.

About the pixel, what can prevent a mail pixel to point to "
attacker.com/img.jpg" which fetches the
"whatever_his_enpoint_to_return_the_token.php", grab the token and forward
to the form? The same as what prevets it from scraping the html? Nothing...
So in the end, this RFC improves nothing as mentioned above.
On May 11, 2016 8:16 AM, "Rowan Collins" <rowan.collins@gmail.com> wrote:

> On 11/05/2016 12:36, Kinn Juli=C3=A3o wrote:
>
>> You're making confusion between CSRF and Session Hijacking... In any
>> moment
>> I mentioned about hijacking someone else's session, but to still being
>> able
>> to CSRF (Cross Site Request Forgery).
>>
>
> CSRF generally implies tricking an authenticated user into making a
> request using their own session. Without any form of token check, an
> identical request will be sent from any user, so you don't need to know
> anything about the user or their session to perform the attack - it can i=
n
> fact be entirely passive, e.g. the src of an <img> embedded in another pa=
ge.
>
> With a CSRF token bound to each session, you can't perform a passive
> attack, because you need to first discover some information from their
> session, and target the attack.
>
> Without tricking the user into submitting the request with their own
> authentication, there is no forgery, and no attack.
>
>
> Any other remote source would still be able to use your "example".
>>
>
> A remote source would only be able to read their own CSRF token, not that
> of another user. If they are not authorised to submit the content, it is
> not the CSRF token's job to enforce that.
>
>
> "A is using your own site's contact form, with a plotted csrf token as a
>> hidden field in the form, and the same stored in the session".
>> With your token solution for asynchronous requests:
>> "A is using your own site's contact form, with a csrf token remotely
>> requested, and the same stored in its session".
>>
>
> All CSRF tokens are "remotely requested", in that they are sent from the
> server to the client's browser during a legitimate request. There is no
> difference in exposure between an HTML hidden input in the response to "G=
ET
> /display_comment_form.php" and a JSON value in the response to "GET
> /generate_form_token.php".
>
>
> "B is spamming your site's contact form, with a csrf token remotely
>> requested, and the same stored in its session".
>>
>
> CSRF is not related to spam or rate limiting, it is related to
> impersonation. A spam bot can simply repeatedly request new HTML forms an=
d
> scrape out the hidden input.
>
> Regards,
> --
> Rowan Collins
> [IMSoP]
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--001a114f03e4142e880532901a5a--