Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93239 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61635 invoked from network); 11 May 2016 13:43:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 13:43:00 -0000 Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.54 mail-wm0-f54.google.com Received: from [74.125.82.54] ([74.125.82.54:37068] helo=mail-wm0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FD/2D-28272-2E633375 for ; Wed, 11 May 2016 09:43:00 -0400 Received: by mail-wm0-f54.google.com with SMTP id a17so83638478wme.0 for ; Wed, 11 May 2016 06:42:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=uXLq8eD+1kH1ePk0VR1BWdLna6EoMY8faHZWID9rvHM=; b=fvkDkyEtHy7pSn/zjkszBAQcAdiihp+a5ZQK+kIeH7tWyGJCxxCx/w0s/gtnB3kvd7 qMuZRK9y3EbHOOaDf4llgGRhTG7yglm9SdWSDm1MTv6uKb/ewJm1FXcsInYDlKUWu+WF veB6udGwkp8g1p+4LCGud1jK6gJzymsG9QWgFC7AB8XnsYb+CcS4C16chL2wB1hugqRg tO1SW38ErNuVon1gAHiRPXx6OE2J9bKISKuCMWVZEZnRUdwkuOCznDfoSzIuu3zsoSE2 h9H6SZj77WUNKnhtGKR1Q2t/vmBOM49opHRwcV3LE8yRbQBpWf2hOJy/Lu/X/iQ49bwm DqcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=uXLq8eD+1kH1ePk0VR1BWdLna6EoMY8faHZWID9rvHM=; b=AymQFsuXdPlsz54SwZcJOdeAaFBb02c6YpQe4Nczk9s8Fu5ze8NmwgVuyw4ih5Q0eo 4MUBTGwh6i+ZmuSgxDcfPIAu8Gk/2BUvMMIRT2UUlX2xF4Y4UqtbBOyusdJ4Ytvykkyo pPhRl4UKn3TjObHcc++zBD5k/LY8ZWurdWZ6ny3cDiplmoDS1wvZuSulIHD7jr9uturd lkW5eqbF4mLkeZJ96BcM7sf/YxIcFXvYpJmLzevQgnPa10i6iKQGzdg1kCb5D6YobjAO OXeXa32/pYgVLnWkxsVAdGOHGGDdFIl11qEKIy24TdfIDCMorDqtZ2ajdmM0MvfhIl5Z +NAg== X-Gm-Message-State: AOPr4FWUxtNbSeo4R9Adp+XF+iyweckJ/Ktk4yZ32MEnSVpG+l6xhW6UwzobxpbIDcXulQ== X-Received: by 10.28.194.69 with SMTP id s66mr4654134wmf.88.1462974176081; Wed, 11 May 2016 06:42:56 -0700 (PDT) Received: from [192.168.0.98] ([93.188.182.58]) by smtp.gmail.com with ESMTPSA id gk4sm8173993wjd.7.2016.05.11.06.42.55 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 11 May 2016 06:42:55 -0700 (PDT) To: =?UTF-8?Q?Kinn_Juli=c3=a3o?= References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> <4667bb84-4401-4dd6-6193-fcf3aa6b3d48@gmail.com> <4d97846f-81d6-6cad-91ad-5e513a709e91@gmail.com> Cc: internals@lists.php.net Message-ID: <67a20f52-962a-acb5-6d71-4a5995928d87@gmail.com> Date: Wed, 11 May 2016 14:40:30 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: rowan.collins@gmail.com (Rowan Collins) On 11/05/2016 14:07, Kinn JuliĆ£o wrote: > So following your example then. > You could place an HTML page on a completelu different site... maybe > this page: > https://gist.github.com/kinncj/6ad5f5ef8d8c36eb5f844fb802a67b7a#file-attacker_example_net > :-) Neither of the files in that gist are demonstrating CSRF as such. attacker_example_net is bypassing the Same Origin Policy; it hand-wavingly pre-supposes a misconfiguration which allows this, including sending the user's cookies with the cross-domain request. Note that if the first XHR can successfully generate a CSRF token, then you don't need an tag, since a second XHR to the rewritten URL will succeed. At this point, you have a far stronger attack footprint than normal CSRF anyway, because you can access privileged data and arbitrarily impersonate the user in a 2-way conversation with the server. supersafe.com_img.jpg is simply a spam script. The request to http://example.com/contact.php is coming from the server hosting the site, and doesn't impersonate anybody. If the form requires the user to have previously authenticated, this will simply fail, because it never authenticates as anybody. If your implication is that you've tricked somebody else's *server* into executing this code, that's yet another type of attack, and there are much worse things you could do with the ability to run arbitrary code on their server. > As I mentioned in comments there: > /* > From this point, this attack will only work if: > 1 - CORS is missconfigured > */ Yes. As OWASP says, to protect against CSRF, one must first protect against XSS. However, protecting against XSS does not protect against CSRF, so token-checking or similar countermeasures are still necessary. > If the user must be responsible to secure it properly, why should be this magic added to the core? I'm not convinced it should be in the core, but "some users will have XSS vulnerabilities" is not a good reason for it not to be. Regards, -- Rowan Collins [IMSoP]