Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93234
Return-Path: <kinncj@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 51073 invoked from network); 11 May 2016 12:28:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 May 2016 12:28:15 -0000
Authentication-Results: pb1.pair.com header.from=kinncj@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=kinncj@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.173 as permitted sender)
X-PHP-List-Original-Sender: kinncj@gmail.com
X-Host-Fingerprint: 209.85.220.173 mail-qk0-f173.google.com  
Received: from [209.85.220.173] ([209.85.220.173:34078] helo=mail-qk0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8A/3B-28272-E5523375 for <internals@lists.php.net>; Wed, 11 May 2016 08:28:14 -0400
Received: by mail-qk0-f173.google.com with SMTP id r184so23801861qkc.1
        for <internals@lists.php.net>; Wed, 11 May 2016 05:28:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=wW68WBp50Cp66H+0DC6y3updHC4nLHI3KGZJpR/karE=;
        b=aG9Rz7UAwBhgvaPL+pH3Np6E0kh4DwesUhYTKxXDq9d2MVTa9q5B16arQQX+uuNP3H
         TSDHuIJTHlzc6mOpcrODCsg7Jz8G4Gsn3vPS3qPwnODpUpTBLxn8G3c/E7vrKHUjggYY
         s+XSy1ByX81BQbDZK3P6f0tMH6CAHXI1Q3iTY4qKgrRQ/A6FZt5hRSp3dNZJ7TC4WOuE
         E+PE3dUWDR3GU4GEhTtAxLwGPBbly2WFDxEI9ij2JhS7jikV5xdK2gmaAiY+RNu4yWfd
         EWLaSbHzDPdPd9f5xCmD4dz9zpZFZrjcN/mGB9h/5RS6FY7VKVi1I7VDPWgajBV/Dlf1
         TqUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=wW68WBp50Cp66H+0DC6y3updHC4nLHI3KGZJpR/karE=;
        b=JUKsWwHhWDNe0w0bBi7xjMieL5Sc6v9wnUCUMv4rfRHLtNPB3CAdaPI8Yz/8mj3Q2A
         BO/EhFV5Ssa52+sNLLCZFusc9M+gULogEoM7gEYew/y5QjNGjNZEO8sbnJZ0MRMUscwz
         edIT2DlsTQkM1pzlJ6kDqaPiiIRiJcAtCME8bA9KaBPCgvCXy1SHHV2uwUjfLhgAiT9T
         ajjoeAXQ1/Cd+bq0q0G5zAGfIBzENfYLvOfKoM0jRj7ysqYZEwOiGvRW4lYQvLjK/RPc
         QUidySjO+BBGSeTPb+aRuraICmOTwr6x9kf20kGeaYJO+up0emxhdATqhuAzknXBN5Zs
         kChQ==
X-Gm-Message-State: AOPr4FVOvRJ6sXCPQINtsqWdR77GLzTb/Wym5KWaTbYqXKEwiLNl5pX9HCrHwx649UDzRqnyqfV0s46fcnlrmg==
MIME-Version: 1.0
X-Received: by 10.55.44.2 with SMTP id s2mr3022852qkh.79.1462969691387; Wed,
 11 May 2016 05:28:11 -0700 (PDT)
Received: by 10.237.36.147 with HTTP; Wed, 11 May 2016 05:28:10 -0700 (PDT)
Received: by 10.237.36.147 with HTTP; Wed, 11 May 2016 05:28:10 -0700 (PDT)
In-Reply-To: <CAF+u_BxxZ-xG2cS-C97qx+WNccryd_0xvhgPbvdqfe7F_8mL0g@mail.gmail.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
	<c21d1d4b-a790-e1a9-7c93-2c5af4baf5d1@gmail.com>
	<CAGa2bXboop3KDFnYtcdO-K+hL0To5te_yeHeFEFO-kCVuzNOJQ@mail.gmail.com>
	<3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com>
	<CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
	<CANUQDChxOeydBRLPrvuumf+edqJNKV+TOstGz66X_tg+Y7knPQ@mail.gmail.com>
	<CAGa2bXZC8Qp8-Ggyfj5+0X5aiktSX_AyfRdKAPXFZ=x4+A1XDQ@mail.gmail.com>
	<CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
	<CAL0xaBFTF28h7ZTCkk=gn2=kepv0xe_Gk0+zjhmZzDmLJYU3-w@mail.gmail.com>
	<CAGa2bXbX_YhpJEr+9XjTb3xxgb2KTw=LEjC97A0vM4_WNiSvnA@mail.gmail.com>
	<CAL0xaBF8e7PhY_hqNYwNvxwRiha1=rUtLBfugUNC2FGf2FndzA@mail.gmail.com>
	<CAF+u_ByFOKd+CyCO5yO_2aSYf2GhLrqb6oLHcvKuNF6W7E+YGg@mail.gmail.com>
	<4667bb84-4401-4dd6-6193-fcf3aa6b3d48@gmail.com>
	<CAF+u_BxxZ-xG2cS-C97qx+WNccryd_0xvhgPbvdqfe7F_8mL0g@mail.gmail.com>
Date: Wed, 11 May 2016 08:28:10 -0400
Message-ID: <CAF+u_ByYLBfyTM88xT6m5tdta7=yz6Tzuo8vZPnRO7sp7CvkPQ@mail.gmail.com>
To: Rowan Collins <rowan.collins@gmail.com>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary=001a114f4172c5bff90532902c16
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: kinncj@gmail.com (=?UTF-8?B?S2lubiBKdWxpw6Nv?=)

--001a114f4172c5bff90532902c16
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

And again, I'm bashing against/based in his poor example for asynchronous
requests...
On May 11, 2016 8:22 AM, "Kinn Juli=C3=A3o" <kinncj@gmail.com> wrote:

> > CSRF is not related to spam or rate limiting, it is related to
> impersonation. A spam bot can simply repeatedly request new HTML forms an=
d
> scrape out the hidden input.
>
> The Spam bot was just an example, contering his own example.
>
> And it still a cross site request... Either if it comes from a bot or not=
.
>
> About the pixel, what can prevent a mail pixel to point to "
> attacker.com/img.jpg" which fetches the
> "whatever_his_enpoint_to_return_the_token.php", grab the token and forwar=
d
> to the form? The same as what prevets it from scraping the html? Nothing.=
..
> So in the end, this RFC improves nothing as mentioned above.
> On May 11, 2016 8:16 AM, "Rowan Collins" <rowan.collins@gmail.com> wrote:
>
>> On 11/05/2016 12:36, Kinn Juli=C3=A3o wrote:
>>
>>> You're making confusion between CSRF and Session Hijacking... In any
>>> moment
>>> I mentioned about hijacking someone else's session, but to still being
>>> able
>>> to CSRF (Cross Site Request Forgery).
>>>
>>
>> CSRF generally implies tricking an authenticated user into making a
>> request using their own session. Without any form of token check, an
>> identical request will be sent from any user, so you don't need to know
>> anything about the user or their session to perform the attack - it can =
in
>> fact be entirely passive, e.g. the src of an <img> embedded in another p=
age.
>>
>> With a CSRF token bound to each session, you can't perform a passive
>> attack, because you need to first discover some information from their
>> session, and target the attack.
>>
>> Without tricking the user into submitting the request with their own
>> authentication, there is no forgery, and no attack.
>>
>>
>> Any other remote source would still be able to use your "example".
>>>
>>
>> A remote source would only be able to read their own CSRF token, not tha=
t
>> of another user. If they are not authorised to submit the content, it is
>> not the CSRF token's job to enforce that.
>>
>>
>> "A is using your own site's contact form, with a plotted csrf token as a
>>> hidden field in the form, and the same stored in the session".
>>> With your token solution for asynchronous requests:
>>> "A is using your own site's contact form, with a csrf token remotely
>>> requested, and the same stored in its session".
>>>
>>
>> All CSRF tokens are "remotely requested", in that they are sent from the
>> server to the client's browser during a legitimate request. There is no
>> difference in exposure between an HTML hidden input in the response to "=
GET
>> /display_comment_form.php" and a JSON value in the response to "GET
>> /generate_form_token.php".
>>
>>
>> "B is spamming your site's contact form, with a csrf token remotely
>>> requested, and the same stored in its session".
>>>
>>
>> CSRF is not related to spam or rate limiting, it is related to
>> impersonation. A spam bot can simply repeatedly request new HTML forms a=
nd
>> scrape out the hidden input.
>>
>> Regards,
>> --
>> Rowan Collins
>> [IMSoP]
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>

--001a114f4172c5bff90532902c16--