[Catalyst] Picking template type based on input

Bill Moseley moseley at hank.org
Mon Mar 29 00:06:16 GMT 2010


On Sun, Mar 28, 2010 at 3:13 PM, Tomas Doran <bobtfish at bobtfish.net> wrote:

Speaking of XSRF:


> It would be possible to parse the HTML your app output, add an extra hidd=
en
> field to any forms you had generated in the page, and then look for a
> previously generated token and redirect / refuse the request if it wasn't
> present.
>

I do this -- every POST must include token, and the token can only be used
once.  That means the the form must be fetched before bing posted (to
generate the token).

I'm not sure I understand XSRF enough to know if there's a way to get around
the token (or trick the browser into doing a POST for, say, and <img>.

And for a SSL only site that requires login, I'm also not so sure the token
requirement helps that much for security.  The original purpose was to slow
down form spamming and to prevent double-posting of forms.

The tokesn don't work so well with an API, of course, but XSRF needs a
browser, AFAIK (hard to trick a user of an API into making a request..)



> However this would obviously not catch forms generated purely from
> Javascript (and a number of other cases), and so I'm somewhat doubtful of
> its value in more complex applications. I can certainly remember the stuff
> which tries to achieve this that is baked into Rails making me scream :)
>

I'm not clear how javascript is an issue here, unless the attacker has
injected javascript into my site.

The example on Wikipedia for XSRF is to add a link to your bank on the
attackers site, which you view:
<img src=3D"
http://bank.example/withdraw?account=3Dbob&amount=3D1000000&for=3Dmallory">

Which is a pretty bad bank that allows that.  A third-party (evil) page can
include the above and force a GET request that is not noticed, but to make a
POST it would have to have a form where the response is from the bank.  That
is, you would see the bank's response page.  Can't do it via an AJAX request
because of the same-origin policy.

Slippery stuff.



-- =

Bill Moseley
moseley at hank.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20100328/a13de=
18d/attachment.htm


More information about the Catalyst mailing list