On 01/12/11 21:19, David Winterbottom wrote:
> All,
>
> A site I work on was penetration tested this week and several queries
> were raised about the site's (and hence Django's) CSRF implementation.
> The points seem valid to a degree but I wanted to check if there were
> design decisions behind the current implementation.
>
> Note, we're using Django 1.3.1.
>
> *CSRF tokens are not generated per-request or with a max age*
> Django's CSRF token is only generated when the cookie is not found, and
> as the cookie is set to a max age of a year, the token remains the same
> between requests (and visits). Is there a reason why a new token isn't
> generated for each request? I appreciate that this doesn't really open
> up a huge security hole, but it does differ from OWASP's
> recommendations:
> https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
If you generate a new CSRF cookie for each request, then you will run
into problems with forms opened in different tabs/windows. e.g. first
page is opened with form 1, CSRF token 1 in form, and sent CSRF cookie
1. Another page is opened in a different tab with CSRF token 2 and CSRF
cookie 2, which overwrites the cookie globally. Submitting page 2 will
succeed, but page 1 will now fail since it will send CSRF cookie 2 and
CSRF token 1, which don't match.
We have considered a version of our CSRF protection that is integrated
with the session system (as it used to be), which would provide
protection against the cross subdomain attack. However, a mechanism that
allows this to be used optionally instead of the current one is tricky
when it comes to details. (You can swap out the middleware, but the CSRF
decorators are harder, unless you introduce a new setting, which we
don't really want to do).
Also note that if you are giving subdomains to untrusted parties, this
opens you up to cross-subdomain session fixation attacks. Because of
this, supporting the untrusted-subdomain scenario has not been a
priority for us.
Paul addressed the other points I think.
Regards,
Luke
--
The fashion wears out more apparel than the man.
-- William Shakespeare
Luke Plant || http://lukeplant.me.uk/
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
