All, A site I work on was penetration tested this week and several queries were raised about the site's (and hence Django's) CSRF implementation. The points seem valid to a degree but I wanted to check if there were design decisions behind the current implementation.
Note, we're using Django 1.3.1. *CSRF tokens are not generated per-request or with a max age* Django's CSRF token is only generated when the cookie is not found, and as the cookie is set to a max age of a year, the token remains the same between requests (and visits). Is there a reason why a new token isn't generated for each request? I appreciate that this doesn't really open up a huge security hole, but it does differ from OWASP's recommendations: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) The security company also recommend that the CSRF token should have a maximum age so that it expires if you wait too long. *No server-side check of the CSRF token* Basically, as long as the cookie token matches the form token, the request is valid - even if they differ from what was set originally. I found some previous discussion of this ( http://groups.google.com/group/django-developers/browse_thread/thread/571e875c9c4b806f/7ece8e94d48f6586?lnk=gst&q=csrf#7ece8e94d48f6586) and it seems that setting a CSRF cookie can only be done from a site with the same top-level domain. Hence, this is only an issue if someone malicious controls a subdomain. In their examples, they are hand-crafting the HTTP request to spoof this but I guess that is not representative of what can be done via a browser-based CSRF attack. How much of a security issue is this? I'm happy to share the relevant pages of the report if anyone's interested. All thoughts appreciated. -- *Dr. David Winterbottom* Head of Programming Tangent Labs 84-86 Great Portland Street London W1W 7NR England, UK -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
