[Seaside-dev] Seaside and CSRF attacks

tim Rowledge tim at rowledge.org
Tue Aug 21 22:36:25 UTC 2018 


> On 21-08-2018, at 3:26 PM, Ron Teitelbaum <ron at usmedrec.com> wrote:
> 
> Hey Tim,
> 
> Did you see: http://www.seaside.st/about/security

I did indeed see that, and it makes sense to me at a certain level BUT I don't think a client's security team is likely to look at that simple assertion ad say "yup, ok, we believe that is enough". I'd be kinda concerned about the competence of the security team if they did...

A more expansive explanation would be nice. And would be nice documentation to explain quite a lot of how seaside works.

> 
> CSRF is basically being able to execute a task from a different program impersonating a user that is already logged into a different site. 
> 
> The attacker knows the user is logged into some program.  They know how to get that program to do something bad.  They trick the users into executing some code that does something bad on the other program that is running.  Click here to get free $50 gift card! href=https://imloggedin.com?my really bad code goes here.  This works because my really bad code is going to be sent to the location the user is logged into which means it will have access to cookies and will think this is a valid request for a user that is logged in.  Validating the cookies is not sufficient to ensure the request came from your application.
> 
> You can prevent this from happening if you have something on the current page in the browser that is unique, you then check that token to make sure the request is coming from your program and not from some other program running on your computer (my really bad code).  The server needs to validate the data is coming from the browser (Header, URL, Field) matches what was set by your application (for each page) before executing any tasks.  The attacker doesn't have access to that token so trying to execute some task should fail.

That's one of the least confusing explanations of CSRF attacks I've seen. Thanks!

tim
--
tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
Drugs may lead to nowhere, but at least it's the scenic route.

More information about the seaside-dev mailing list