[Catalyst] Re: CSRF
Ashley
apv at sedition.com
Wed Oct 1 08:19:25 BST 2008
Nope.
On Sep 30, 2008, at 11:57 PM, Ashley wrote:
> Might be pretty simple in Cat stuff. The crux of the POST
> issue seems that the target site's cookies are still safe
> from the attacking site's POST.
> ...
>
> Form template:
> <form action="[% c.request.uri() %]" method="post">
> [% USE Digest.SHA1 -%]
> <input type="hidden" value="csrf_check" value="[% c.sessionid |
> sha1_hex %]" />
> </form>
This won't work because the attacker can grab it by a GET and
while it doesn't expose the sessionid, it does remain constant
for the life of the session. As the white paper suggests, it
has to be pseudo-random and it looks like it has to be per
request. If no one else fields this in the next couple of days
I'll come back to it and post a real solution.
-Ashley
More information about the Catalyst
mailing list