CSRF Token Generation

Question

CSRF Token Generation

This is a question about creating CSRF tokens.

Normally, I would like to create a token based on the unique piece of data associated with a user session and hash and salt with a secret key.

My question is to generate tokens when there is no unique user data to use. No sessions, cookies are not an option, IP address and such things are unreliable.

Is there a reason why I cannot include the string in the hash as part of the request? An example of pseudocode for creating a marker and inserting it:

var $stringToHash = random() var $csrfToken = hash($stringToHash + $mySecretKey) <a href="http://foo.com?csrfToken={$csrfToken}&key={$stringToHash}">click me</a>

CSRF Token Server Side Validation Example

 var $stringToHash = request.get('key') var $isValidToken = hash($stringToHash + $mySecrtKey) == request.get('csrfToken')

The string used in the hash will be different for each request. As long as it is included in each request, CSRF token validation can continue. Since it is new for each request and is only embedded in the page, external access to the token will not be available. Token security then drops to $ mySecretKey, which is known only to me.

Is this a naive approach? I don’t have any reason why this cannot work?

thank

+46

csrf

Jim Beam Nov 26 '09 at 21:53

source share

8 answers

blowdart · Answer 1 · 2009-12-04 09:14

Is there a reason why I cannot include the string in the hash as part of the request?

CSRF tones have two parts. The token embedded in the form and the corresponding token elsewhere, whether in a cookie stored in a session or elsewhere. This use elsewhere stops the page contained offline.

If you include a string in the hash in the request, then the request will be autonomous, so copying the form should be performed by all the attacker, since they have both parts of the token, and therefore there is no protection.

Even if you put it in the URL form, it means it is contained, the attacker simply copies the form and the sending URL.

michalzuber · Answer 2 · 2013-05-31 10:12

Try base64_encode(openssl_random_pseudo_bytes(16)) . https://github.com/codeguy/php-the-right-way/issues/272#issuecomment-18688498 and I used it as an example form at https://gist.github.com/mikaelz/5668195

Dor · Answer 3 · 2009-11-26 22:06

A CSRF token designed to prevent (inadvertent) data modifications that are commonly used with POST requests.

Therefore, you must include a CSRF token for each request that changes data (either a GET or a POST request).

My question is about generating tokens in the absence of unique user data to use. No sessions are available, cookies are not an option, IP address and nature are not reliable.

Then simply create a unique user ID for each visitor. Include this identifier in the cookie or in the URLs (if cookies are disabled).

Edit:

Consider the following event:

You are logged into your facebook account and then entered on some arbitrary website.

There is a form on this website that you submit that tells your browser to send a POST request to your facebook account.

This POST request can change your password or add a comment, etc., because the facebook application has recognized you as a registered and registered user. (if there is no other locking mechanism such as CAPTCHA)

MyGGaN · Answer 4 · 2010-03-04 23:00

You just need the same "token" in the URL / form and in the cookie. This means that you could set the cookie page to what it wants (preferably some random value) using JavaScript, and then just pass the same value in all the requests that go to your server (in as the URI parameter? field). Your server does not need to generate cookies.

This is safe if we trust that the browser does not allow pages from the domain to edit / read cookies for other domains, and today it is considered to be very safe.

If your server creating the token believes that this token can be safely transferred to your browser without being picked up by CSRF attempts (why take the risk?). Although you could add more logic to the token created by the server, there is no need to prevent CSRF.

(If I'm wrong, please let me know)

Frank Zhang · Answer 5 · 2014-10-19 09:15

I want to say that your approach works because the CSRF attack is an attacker using the victim’s browser to create login status, why can they do it? because on most servers, session verification is based on the SessionID in a cookie, and a cookie is a piece of data that is automatically bound to an HTTP request sent to the server.

Therefore, there are two key factors for protecting CSRF.

Create a request token and ask the client to transfer it to the server in a non-cookie manner, either the URL parameter or the POST form is OK.
Keep the token safe, just like with a SessionID, for example, using SSL.

I recommend reading the CryptForms Cheat Sheet

dynax60 · Answer 6 · 2012-03-27 12:30

I think the best idea is to make an HMAC based hash, i.e. make a hash encrypted with some password in this sequence: username + user_id + timestamp. Each hash request should be different, the timestamp should be if you do not want a simple hash to be played in the attack.

Tower · Answer 7 · 2009-12-04 09:10

CSRF uses a user session, so if you don’t have one, CSRF is absent.

moogoo · Answer 8 · 2013-12-05 11:06

here is an example of python wtforms that generate and validate the csrf token:

https://bitbucket.org/simplecodes/wtforms/src/1939aec691af476960dfe16b4e17ba4fc070459b/wtforms/ext/csrf/session.py?at=default

CSRF Token Generation

More articles: