Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93236 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55707 invoked from network); 11 May 2016 12:50:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 12:50:45 -0000 Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.51 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.51 mail-wm0-f51.google.com Received: from [74.125.82.51] ([74.125.82.51:37378] helo=mail-wm0-f51.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E2/1C-28272-4AA23375 for ; Wed, 11 May 2016 08:50:44 -0400 Received: by mail-wm0-f51.google.com with SMTP id a17so80902669wme.0 for ; Wed, 11 May 2016 05:50:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=hLKLF7lA8If31LcT0hf/u5BQOzVVFkmU3zITRJ/r8N8=; b=k3VsHiqlxVgh5DbV7Sb2EPpRltiVRhjlBXtK+XghWUtBQBrVMI9TqvZv0C1pkfZGCM LODZEwkYqrrGUGzrk8jkekrHvpCwn0dZGwq2rGCHZ2DtKzkKsqS9cU7e42FVMWefNDg8 DhRZ54jLJSrD5WWOBei7K5ZnrF3JNZ9XcRLF370zSzi+n3rCW+aGhBJ9y6ALdSwolHCl jc3Exv2jR7gkGJJwKstYDroK8m4wZry2JQLSx1aMFqqMUGXt3N5vcD6TCeLsBLt1Au8I t2sdgR8cwNlNENKp3g0AWjFdiHMq+L2F2VeytT0ypbTdv3PztLEvNrYFuGIs4oUI4oJV W5Zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=hLKLF7lA8If31LcT0hf/u5BQOzVVFkmU3zITRJ/r8N8=; b=bvGYvTnwr+UXm46dZWVtLyWrpT/7Y/8mkiqAMkDWn2Mk1jnOcUfQqXDaznQySH2Tdh 0W1U5TZzL2YoD/pt5bUumxhoWcCkb9ZsZIObRRFu2bLeIMkOBHHEZ2j3i/xJCl4nEeIS 3C5Owmb6DX/Ydnn6oyQxTWPmSpNuyq05NRKnyv0/ddfFd3lQJOTRohiAn9Hy3qRcuSim 1IBrg+N5a7FmWDr3qDyrNMrD22FlOVVfuLu1RxTgIrhDyas+/V8ao0BEi+a4AFxAjXYo YiWCs4LNhUtyCP+MpBSkdXiXxhFK0gsG7WjConDjKI9AUZec/a/G0CayRi38zJd9QsOl zZuw== X-Gm-Message-State: AOPr4FWIGpjpHCfW8Guaaa58Ga3h2aZYnIC/wsBkCzvAZdtZCXg3zWeotqpoySaQSNDKiw== X-Received: by 10.194.95.198 with SMTP id dm6mr3762789wjb.136.1462971040740; Wed, 11 May 2016 05:50:40 -0700 (PDT) Received: from [192.168.0.98] ([93.188.182.58]) by smtp.gmail.com with ESMTPSA id y3sm7945643wji.40.2016.05.11.05.50.39 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 11 May 2016 05:50:39 -0700 (PDT) To: =?UTF-8?Q?Kinn_Juli=c3=a3o?= References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> <4667bb84-4401-4dd6-6193-fcf3aa6b3d48@gmail.com> Cc: internals@lists.php.net Message-ID: <4d97846f-81d6-6cad-91ad-5e513a709e91@gmail.com> Date: Wed, 11 May 2016 13:48:14 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: rowan.collins@gmail.com (Rowan Collins) On 11/05/2016 13:22, Kinn JuliĆ£o wrote: >> CSRF is not related to spam or rate limiting, it is related to > impersonation. A spam bot can simply repeatedly request new HTML forms > and scrape out the hidden input. > > The Spam bot was just an example, contering his own example. > > And it still a cross site request... Either if it comes from a bot or not. No, it's just "a request". I ask for a URL, I get some content. There is no "cross-site" involved, and no "forgery". > About the pixel, what can prevent a mail pixel to point to > "attacker.com/img.jpg " which fetches the > "whatever_his_enpoint_to_return_the_token.php", grab the token and > forward to the form? The same as what prevets it from scraping the html? > Nothing... So in the end, this RFC improves nothing as mentioned above. What you are saying there is "all CSRF tokens are pointless". The large number of articles recommending them and libraries implementing them should be a pretty big clue that they are not. I think you are misunderstanding how the attack works; here is a simple example. If you are logged into a site called victim.example.com, I can place an HTML page on a completely different site (say, attacker.example.net) with the following code: Your browser will then send a request to the specified URL, and execute the command. At no point does the server at attacker.example.net receive any data from victim.example.com, but it can trick you into sending commands to it, with your authenticated privileges. With a CSRF token in place, the passive attack above will be rejected - "missing or invalid CSRF token". In the response, a fresh CSRF token may well be forwarded to your browser, but it is never forwarded to the attacker. Let's say we have an endpoint that simply checks the request cookies and generates a new CSRF token, as in Yasuo's example, the attacker could of course write this: But this is no use - it tricks you into sending a command that generates a new token, but the attacker can't see what token was generated, so can't impersonate you. If you can read the value of that response, that is an XSS vulnerability. As the OWASP page linked to earlier says "any cross-site scripting vulnerability can be used to defeat token, Double-Submit cookie, referer and origin based CSRF defenses": https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#No_Cross-Site_Scripting_.28XSS.29_Vulnerabilities Regards, -- Rowan Collins [IMSoP]