Friday, July 24, 2009

CSRF Tokens Are Not Broken

You may have just read this story about a new attack against CSRF Tokens. The attack is a clever combination of the old CSS history attack against today's CSRF defense token. I give "Inferno" credit for this new discovery and applaud the creativity and technical skills which keep everyone in the industry on their toes.

However, CSRF tokens are still the most effective way at preventing CSRF attacks. This attack is a brute force attack against the CSRF token. As the article states,

[The attack] was able to find two five-figure tokens in under seven minutes.
Luckily, the normal CSRF token is much more complex. For example, here is a token generated through ESAPI (ie CSRF Guard)

G8bGdoWkA3GVARPOKsmzQUplynLJ0to1
A token with this level of complexity would not be brute forced in any reasonable amout of time. And consider this, if we could brute force this sort of value in a resonable time frame, then we would brute force the sessionID instead and just take over the user's session with the application!


-Michael Coates

4 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. "if we could brute force this sort of value in a resonable time frame, then we would brute force the sessionID instead and just take over the user's session with the application!"

    the brute-forcing of the CSRF token is happening in the browser and relies on publicly (in the browser's point of view) available information. This attack is stealthy from the server's point of view. Brute-forcing the session cookie would involve hammering the server with hundred of thousands of requests which far noisier.

    ReplyDelete
  3. @ekse: whatever. Even if the attack is stealthy from the point of view of the server; that doesn't change the fact that suddenly we should all think that our CSRF tokens are insecure neither that it is easy to even break short tokens.

    For me, Inferno has definitely shown some creativity but all the buzz around it is unrealistic. And arguments like "I've seen many applications using short tokens like that" aren't good enough either.

    ReplyDelete
  4. Brute forcing on the client side is clever. However, the reason the sessionID (or CSRF token) is not easily brute forced is not due to detection of the attack by the server. It is due to the difficulty of guessing a valid number from a range of 1.5x10^54 possible values. So, the "noise" of the attack is insignificant here. Its the math and total space of possible values which is the issue.


    1.5x10^54 is a 32 character length value from a pool of 36 possible characters.

    ReplyDelete

Note: Only a member of this blog may post a comment.