Hi Arian -
On 5/9/06, Evans, Arian <Arian.Evans@fishnetsecurity.com> wrote:
What are we, close to a decade now on this thread?
At least. =)
Per your examples below, there are a lot of different ways
to use tokens (contextual) and different ways to implement
tokens and /one possible way/ is a cookie, which has pros and
cons, just like all the other options, but has the HUGE con
of being automagically supplied by the browser...*not* even
upon demand, not requiring some challenge-response scenario,
but will be supplied by the browser with even the simplest
tickle to make a request. This is called CSRF, or the catchier
but possibly misleading "securenet session riding"! ;)
Good point. If you use hidden form fields or random elements in the
URL for sessions, you get CSRF protection for free. If you are using
cookies, you need to take extra steps to block CSRF attacks.
My mates and I released a proxy at BH Amsterdam that did
all this for you automatically. 256 bit AES, stored flags for
various bits in the HTTP resp, removed and stored things like
cookies for you (which is how it worked transparently), and
could be 1) URL param, 2) URI resource, 3) replace URI (most
secure...and fun, 4) legacy URL/param support.
Would you be willing to summarize what kind of attacks your proxy can
prevent, and what kind it cannot? Or perhaps point us to a more
detailed description of what it does?
Regards,
Brian
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------
