Re: [ACFUG Discuss] Cross Site Forgery Question
Forgive me if this came through and no one responded, but I didn't see my message in the list, so here goes again just in case. I've also added a little more info to my original scenario/question. I was trying to respond to Shawn's statement: >>Something to understand is that "action" pages are not the only pages that >>can be exploited or part of an exploit. Can anyone give an example of a Cross Site Forgery exploit that would have an impact on a non-action page? Suppose I have a page that lists all of my users. http://somehost/myapp/index.cfm?event=showusers On this page, I execute a select query and display the results. If someone else tricks me into loading that page on my own machine using http://somehost/myapp/index.cfm?event=showusers>, then what is the risk? It would be a roundabout way to do a denial of service. But otherwise, it doesn't expose any information and doesn't cause any damage. I definitely understand the problem of not protecting the page http://somehost/myapp/index.cfm?event=deleteuser or http://somehost/myapp/index.cfm?event=deleteuser&userid=1. If I'm missing something, please let me know. - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Cross Site Forgery Question
On Thu, Dec 18, 2008 at 10:18 AM, shawn gorrell wrote: > Something to understand is that "action" pages are not the only pages that > can be exploited or part of an exploit. Frinstance? Suppose I have a page that lists all of my users. http://somehost/myapp/index.cfm?event=showusers On this page, I execute a select query and display the results. If someone else tricks me into loading that page on my own machine using http://somehost/myapp/index.cfm?event=showusers>, then what is the risk? I definitely understand the problem of not protecting the page http://somehost/myapp/index.cfm?event=deleteuser or http://somehost/myapp/index.cfm?event=deleteuser&userid=1. If I'm missing something, please let me know. - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Cross Site Forgery Question
Something to understand is that "action" pages are not the only pages that can be exploited or part of an exploit. From: Gerry Gurevich To: discussion@acfug.org Sent: Thursday, December 18, 2008 8:39:21 AM Subject: Re: [ACFUG Discuss] Cross Site Forgery Question Thanks for the info Shawn. We've got someone looking at your solution. I just realized that I hadn't posted the link to the solution that we were looking at in my original post. here it is: http://www.12robots.com/index.cfm/2008/8/25/Request-Forgeries-and-ColdFusion--Security-Series-9 I assume you are doing something similar. FWIW, I'm looking into this for a colleague and what he is telling me is that the security goons are scanning his site and labeling it vulnerable even though the pages that they are hitting with this vulnerability are not action pages. Doesn't seem like a real problem in that case to me. On Wed, Dec 17, 2008 at 4:08 PM, shawn gorrell wrote: > There are ways to do it for forms and urls. In fact, I have a fully baked > implementation of a mitigation in my Tardis framework. The approach is > simple, have each page request a token (nonce) from a security component and > add it as a hidden to your form, or append it to any url inside your app and > then check on the next request to make sure that the token was passed, and > that it has never been used before. This also prevents double-submits. Let > me know if you'd like a go-to for the code... > > > From: Gerry Gurevich > To: discussion@acfug.org > Sent: Wednesday, December 17, 2008 3:59:50 PM > Subject: [ACFUG Discuss] Cross Site Forgery Question > > Sorry, I posted to the wrong list initially. Here is my question for > the discussion list: > > > I've been asked to investigate this by someone at my company. They > found this link as a CF solution. Do you all have any thoughts or > opinions on the value of this approach? It seems to only work for > form submit actions. What would you do if you had a link to an > action page? How would you mitigate against this type of attack? > > Your thoughts are appreciated. > > > - > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > - > > > > > - > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink > - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Cross Site Forgery Question
Should have put a smiley on my use of "security goons". :-) I appreciate the value of security. However, in this case, I believe that they really are false positives. BTW, I would love to have a copy of your preso. Please send it off-list (or post a link). Many thanks. On Thu, Dec 18, 2008 at 8:51 AM, Dean H. Saxe wrote: > They may be doing automated scanning resulting in false positives. Have a > manual review completed to rule out false positives. This is a serious > concern, however, and should be addressed in all development projects. If > you wish I can sendiut a copy of my MAX preso where I address CSRF. Also see > CSRFGuard from OWASP for an implementation in Java which you can reference. > > And us "security goons" are trying to protect those "clueless developers" > from themselves. ;-) > > -dhs > > > On Dec 18, 2008, at 8:39 AM, "Gerry Gurevich" > wrote: > >> Thanks for the info Shawn. We've got someone looking at your >> solution. I just realized that I hadn't posted the link to the >> solution that we were looking at in my original post. here it is: >> >> http://www.12robots.com/index.cfm/2008/8/25/Request-Forgeries-and-ColdFusion--Security-Series-9 >> >> I assume you are doing something similar. >> >> FWIW, I'm looking into this for a colleague and what he is telling me >> is that the security goons are scanning his site and labeling it >> vulnerable even though the pages that they are hitting with this >> vulnerability are not action pages. Doesn't seem like a real problem >> in that case to me. >> >> On Wed, Dec 17, 2008 at 4:08 PM, shawn gorrell wrote: >>> >>> There are ways to do it for forms and urls. In fact, I have a fully baked >>> implementation of a mitigation in my Tardis framework. The approach is >>> simple, have each page request a token (nonce) from a security component >>> and >>> add it as a hidden to your form, or append it to any url inside your app >>> and >>> then check on the next request to make sure that the token was passed, >>> and >>> that it has never been used before. This also prevents double-submits. >>> Let >>> me know if you'd like a go-to for the code... >>> >>> >>> From: Gerry Gurevich >>> To: discussion@acfug.org >>> Sent: Wednesday, December 17, 2008 3:59:50 PM >>> Subject: [ACFUG Discuss] Cross Site Forgery Question >>> >>> Sorry, I posted to the wrong list initially. Here is my question for >>> the discussion list: >>> >>> >>> I've been asked to investigate this by someone at my company. They >>> found this link as a CF solution. Do you all have any thoughts or >>> opinions on the value of this approach? It seems to only work for >>> form submit actions. What would you do if you had a link to an >>> action page? How would you mitigate against this type of attack? >>> >>> Your thoughts are appreciated. >>> >>> >>> - >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists >>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by http://www.fusionlink.com >>> - >>> >>> >>> >>> >>> - >>> To unsubscribe from this list, manage your profile @ >>> http://www.acfug.org?fa=login.edituserform >>> >>> For more info, see http://www.acfug.org/mailinglists >>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >>> List hosted by FusionLink >>> - >> >> >> - >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by http://www.fusionlink.com >> - >> >> >> > > > - > To unsubscribe from this list, manage your profile > @http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > - > > > > - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Cross Site Forgery Question
They may be doing automated scanning resulting in false positives. Have a manual review completed to rule out false positives. This is a serious concern, however, and should be addressed in all development projects. If you wish I can sendiut a copy of my MAX preso where I address CSRF. Also see CSRFGuard from OWASP for an implementation in Java which you can reference. And us "security goons" are trying to protect those "clueless developers" from themselves. ;-) -dhs On Dec 18, 2008, at 8:39 AM, "Gerry Gurevich" wrote: Thanks for the info Shawn. We've got someone looking at your solution. I just realized that I hadn't posted the link to the solution that we were looking at in my original post. here it is: http://www.12robots.com/index.cfm/2008/8/25/Request-Forgeries-and-ColdFusion--Security-Series-9 I assume you are doing something similar. FWIW, I'm looking into this for a colleague and what he is telling me is that the security goons are scanning his site and labeling it vulnerable even though the pages that they are hitting with this vulnerability are not action pages. Doesn't seem like a real problem in that case to me. On Wed, Dec 17, 2008 at 4:08 PM, shawn gorrell wrote: There are ways to do it for forms and urls. In fact, I have a fully baked implementation of a mitigation in my Tardis framework. The approach is simple, have each page request a token (nonce) from a security component and add it as a hidden to your form, or append it to any url inside your app and then check on the next request to make sure that the token was passed, and that it has never been used before. This also prevents double- submits. Let me know if you'd like a go-to for the code... From: Gerry Gurevich To: discussion@acfug.org Sent: Wednesday, December 17, 2008 3:59:50 PM Subject: [ACFUG Discuss] Cross Site Forgery Question Sorry, I posted to the wrong list initially. Here is my question for the discussion list: I've been asked to investigate this by someone at my company. They found this link as a CF solution. Do you all have any thoughts or opinions on the value of this approach? It seems to only work for form submit actions. What would you do if you had a link to an action page? How would you mitigate against this type of attack? Your thoughts are appreciated. - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Cross Site Forgery Question
Thanks for the info Shawn. We've got someone looking at your solution. I just realized that I hadn't posted the link to the solution that we were looking at in my original post. here it is: http://www.12robots.com/index.cfm/2008/8/25/Request-Forgeries-and-ColdFusion--Security-Series-9 I assume you are doing something similar. FWIW, I'm looking into this for a colleague and what he is telling me is that the security goons are scanning his site and labeling it vulnerable even though the pages that they are hitting with this vulnerability are not action pages. Doesn't seem like a real problem in that case to me. On Wed, Dec 17, 2008 at 4:08 PM, shawn gorrell wrote: > There are ways to do it for forms and urls. In fact, I have a fully baked > implementation of a mitigation in my Tardis framework. The approach is > simple, have each page request a token (nonce) from a security component and > add it as a hidden to your form, or append it to any url inside your app and > then check on the next request to make sure that the token was passed, and > that it has never been used before. This also prevents double-submits. Let > me know if you'd like a go-to for the code... > > > From: Gerry Gurevich > To: discussion@acfug.org > Sent: Wednesday, December 17, 2008 3:59:50 PM > Subject: [ACFUG Discuss] Cross Site Forgery Question > > Sorry, I posted to the wrong list initially. Here is my question for > the discussion list: > > > I've been asked to investigate this by someone at my company. They > found this link as a CF solution. Do you all have any thoughts or > opinions on the value of this approach? It seems to only work for > form submit actions. What would you do if you had a link to an > action page? How would you mitigate against this type of attack? > > Your thoughts are appreciated. > > > - > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > - > > > > > - > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink > - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
Re: [ACFUG Discuss] Cross Site Forgery Question
There are ways to do it for forms and urls. In fact, I have a fully baked implementation of a mitigation in my Tardis framework. The approach is simple, have each page request a token (nonce) from a security component and add it as a hidden to your form, or append it to any url inside your app and then check on the next request to make sure that the token was passed, and that it has never been used before. This also prevents double-submits. Let me know if you'd like a go-to for the code... From: Gerry Gurevich To: discussion@acfug.org Sent: Wednesday, December 17, 2008 3:59:50 PM Subject: [ACFUG Discuss] Cross Site Forgery Question Sorry, I posted to the wrong list initially. Here is my question for the discussion list: I've been asked to investigate this by someone at my company. They found this link as a CF solution. Do you all have any thoughts or opinions on the value of this approach? It seems to only work for form submit actions. What would you do if you had a link to an action page? How would you mitigate against this type of attack? Your thoughts are appreciated. - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com - - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
[ACFUG Discuss] Cross Site Forgery Question
Sorry, I posted to the wrong list initially. Here is my question for the discussion list: I've been asked to investigate this by someone at my company. They found this link as a CF solution. Do you all have any thoughts or opinions on the value of this approach? It seems to only work for form submit actions. What would you do if you had a link to an action page? How would you mitigate against this type of attack? Your thoughts are appreciated. - To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -
