tag:blogger.com,1999:blog-2278699633637555082.post4774640584986476933..comments2024-03-29T05:14:12.838-06:00Comments on Yet Another Developer's Blog: CSRF - How much is enough?Chris Schmidthttp://www.blogger.com/profile/00176557422611541107noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-2278699633637555082.post-29736642586775451532020-11-29T09:44:15.591-07:002020-11-29T09:44:15.591-07:00Thats right in 100%!Thats right in 100%!Vves.plhttps://vves.plnoreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-18673970648233353092018-09-30T12:43:45.802-06:002018-09-30T12:43:45.802-06:00Super option, I think one of the best thing isSuper option, I think one of the best thing isoliviahttp://www.escort-helena.com/meet-pammy-girl.htmlnoreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-47379206236772066622018-07-06T07:55:19.286-06:002018-07-06T07:55:19.286-06:00You describe it perfectly.You describe it perfectly.Aasapolska.plhttps://www.aasapolska.plnoreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-78929006523171389592017-03-22T01:54:19.716-06:002017-03-22T01:54:19.716-06:00Your blog has given me that thing which I never ex...Your blog has given me that thing which I never expect to get from all over the websites. Nice post guys!Melbourne Mobile Developerhttp://www.papdan.com/iphone-and-mobile-development.phpnoreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-68848016473040156692011-01-14T15:06:09.188-07:002011-01-14T15:06:09.188-07:00I think you probably won't agree with this sol...I think you probably won't agree with this solution posted in gwt discussion list (http://www.mail-archive.com/google-web-toolkit@googlegroups.com/msg55873.html) where Sripathi explains how to implements the "double-submit the session id" recommandation. I'm working on building a large scale web site (sensible transactionnal application) based on GWT framework. So I'm very interested in different problematics such as security and others (performance, history management, maintainable, ...). I've read a lot about CSRF and XSS attacks prevention and I search the best solution to integrate into my architecture, especially some code examples about it : server side, generation of random csrf token, add it to a cookie (after identification session ok), then, client side, get the token from cookie and set to the rpc service. If I use cookie for session id (encrypt cookie), do I have 2 cookies to create (one for identification, the other for csrf prevention)?Unknownhttps://www.blogger.com/profile/02787472811376510576noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-90555545646655936892011-01-14T11:39:55.063-07:002011-01-14T11:39:55.063-07:00Well, I think you probably will not agree with the...Well, I think you probably will not agree with the following post (http://groups.google.com/group/google-web-toolkit/browse_thread/thread/6b1c412fd053a096/f315f85b4d25c78f?lnk=gst&q=csrf#f315f85b4d25c78f) where Sripathi explains how to implement the solution posted by google.<br />I'm working on a project building a sensible transactional Web application base on GWT : I'm studying the differents problematic such as security and others (performance historic, good architecture for future industrial developpments, ...). I use RPC mechanism and I'm very interested in build a secure application (prevention agqinst CSRF ans XSS attacks). I've read differents articles about it(random csrf token generation) and I would like to be sure of what I'm doing : use cookie to get the token from client and resend it in the request? ...Unknownhttps://www.blogger.com/profile/02787472811376510576noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-34233008239155072602011-01-14T10:30:51.365-07:002011-01-14T10:30:51.365-07:00I am doing some additional research in the area of...I am doing some additional research in the area of CSRF right now with a colleague of mine, so very soon there will be a ton of new info up about this subject. If you have a particular example you are looking for though, let me know and I will see what I can provide for you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-77958556555376016312011-01-14T10:24:44.475-07:002011-01-14T10:24:44.475-07:00Hi Chris,
You talk about a follow-up detailing th...Hi Chris,<br /><br />You talk about a follow-up detailing the solution and how to integrate it.<br />Have you any code sample to post?<br /><br />thanks in adanceUnknownhttps://www.blogger.com/profile/02787472811376510576noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-67513988942874111102010-11-23T07:39:48.633-07:002010-11-23T07:39:48.633-07:00Many "Enterprise Applications" have alre...Many "Enterprise Applications" have already been written in those languages - this article used my experience with GWT as an example - however, the same rules could be applied to *any* language.Chris Schmidthttps://www.blogger.com/profile/00176557422611541107noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-22904118963774840562010-11-23T02:16:05.474-07:002010-11-23T02:16:05.474-07:00Java may be the main choice for enterprise develop...Java may be the main choice for enterprise development now, but it’s days are numbered as the only stalwart option to go with.<br /><br />Let’s face it, many of these so called “enterprise applications” could easily have been written much faster and with less overhead using technologies like Python, PHP, et al.<br /><br /><br /><br /><br /><br /><br /><a href="http://www.developintelligence.com/" rel="nofollow">open source training</a>Rey Abisanhttps://www.blogger.com/profile/03521925875451131637noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-55613627290399894242010-11-22T21:36:23.298-07:002010-11-22T21:36:23.298-07:00I see your point - however, after some offline fol...I see your point - however, after some offline follow-up conversation, is it really necessary to have a parameter that is random at all with GWT? The fact that GWT Services (at least speaking of GWT-RPC) require the presence of custom headers set by the client (X-Requested-With, and custom Accept-Type) they should by definition be safe from CSRF. <br /><br />Since there is no way to force the user to forge a request that contains custom headers (post Java 6 Update 8) then you should be able to count on the assumption that GWT-RPC won't process the request (in fact it will generate an error) to ensure that your application is safe. <br /><br />The only circumvention that I can think of for this method (off the top of my head) is that A) Your page can be framed (clickjacking + csrf) or B) the page is vulnerable to DOM-Based XSS attacks; in which case the attacker could in theory generate his service call by invoking a custom evil function, which would allow him to craft the request with headers, would have access to all of the information in scope, and is basically undefendable in most browsers OOTB. Of course if that is the case, most traditional CSRF defenses will break down anyhow as the attacker could also extrapolate the valid token(s) for the next request and simply append it to his forged request using Javascript.Chris Schmidthttps://www.blogger.com/profile/00176557422611541107noreply@blogger.comtag:blogger.com,1999:blog-2278699633637555082.post-33532838926053049202010-11-22T19:30:33.461-07:002010-11-22T19:30:33.461-07:00I think you may have misinterpreted Google's s...I think you may have misinterpreted Google's suggestion for using the session cookie. What they are suggesting is copying the Session cookie value into a hidden field and before processing the request, verify that the value submitted via the hidden form field matches the value of the submitted session cookie (via the header).<br /><br />In theory, the reason that this works is that only your application should have access to the current session cookie value. As most modern session tokens are considered "sufficiently random and long" then why not use that as a token value. The benefit is that you do not have to worry about token generation, storage, should user's have multiple tokens, token expiration, etc.<br /><br />In actuality, it is a pretty simple and elegant solution.Anonymousnoreply@blogger.com