i using facebook's tornado web engine python project i'm doing , planning on implementing xsrf protection, left me little confused.
on typical request sets "_xsrf" cookie user's browser if it's not found , matches value embedded in html form value browser has sent request.
well let's attacker did this:
<img src="blah.com/transfer_money?account=0098&destination=0099&_xsrf= (whatever client's cookie contains)" title="cool image" /> what's prevent attacker using cookie outright? far can tell cookies used xsrf not "secure" both check_xsrf_cookie method , xsrf_token method generates xsrf token. missing something...?
if understand correctly, asking prevents attacker accessing user's cookie in given domain.
well, answer is: browser security policy. script 1 domain cannot access cookie other domain (most of time). more details here: http://en.wikipedia.org/wiki/http_cookie#domain_and_path
this can circumvented using xss (cross-site scripting) attack: injecting script directly source of attacked page. approach break client application (browser).
however, of time not possible attacker retrieve user's cookie other domain. additional level of security associate specific csrf (or "xsrf") token specific user (and check during validation).
Comments
Post a Comment