Posted by Jerry Stuckle on 03/22/06 04:48

Chris Shiflett wrote:
> Pardon my intrusion, but I hope to clarify the topic being disputed.
>
> Jerry Stuckle wrote:
>
>>I know *exactly* how auto-form-submission works. In fact, from your
>>posts here I expect I know a lot more about it than you do. I've been
>>in this field too many years. What you describe is only *one way* it can
>>happen. And it's not even the most common.
>
>
> I'm always disappointed to see ego impact professional discourse. More
> importantly, the "one way" Chung Leong describes is a type of attack
> called cross-site request forgeries (CSRF), and the safeguard he
> recommends is better than you seem to think.
>
> Code can offer clarity, so consider a simple HTML form:
>
> <form action="http://example.org/fire.php" method="POST">
> <input type="text" name="employee" />
> <input type="submit" value="FIRE" />
> </form>
>
> If I am authorized to fire employees, then a request sent by me to fire
> a particular employee is successful. A CSRF attack would cause me to
> send such a request without my knowledge.
>
> Now, imagine that either of the following safeguards are implemented:
>
> 1. A unique, one-time token is included in the form as a hidden form
> field as well as stored in my session. A request to fire an employee is
> only considered valid if the token in the request matches the one in
> the session.
>
> 2. Referer is checked. An optimal implementation would take into
> account whether my browser typically includes Referer, but let's assume
> it does.
>
> Now, if you really think Chung Leong is wrong, you should be able to
> demonstrate a CSRF attack that is successful despite such safeguards.
> You might be right, but only proof will convince me.
>

That's fine if you use data kept in a session. But just using
HTTP_REFER is not a good way to do it. Whether it's set or not is
immaterial - it may be missing, or it can be forged quite easily.

I can easily write some PHP code (or Java, C/C++ or whatever) which will
simulate submission from your page. Not hard to do at all.

And BTW - I'm disappointed in the tone used by Chung Leong. I suspect
I've been doing this a hell of a lot longer than he has - and been
programming longer than he's been alive. I don't like people who talk
down to me. But it's also not the first time I've seen him do this to
people who disagree with him.

As for actually writing the program to do it - it's not worth my time or
bother. But I've written similar programs to run performance tests on
web servers. It's not hard to do at all if you understand the protocol.
You don't even need to use Curl.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]