Friday, July 24, 2009

CSRF Tokens Are Not Broken

You may have just read this story about a new attack against CSRF Tokens. The attack is a clever combination of the old CSS history attack against today's CSRF defense token. I give "Inferno" credit for this new discovery and applaud the creativity and technical skills which keep everyone in the industry on their toes.

However, CSRF tokens are still the most effective way at preventing CSRF attacks. This attack is a brute force attack against the CSRF token. As the article states,

[The attack] was able to find two five-figure tokens in under seven minutes.
Luckily, the normal CSRF token is much more complex. For example, here is a token generated through ESAPI (ie CSRF Guard)

G8bGdoWkA3GVARPOKsmzQUplynLJ0to1
A token with this level of complexity would not be brute forced in any reasonable amout of time. And consider this, if we could brute force this sort of value in a resonable time frame, then we would brute force the sessionID instead and just take over the user's session with the application!


-Michael Coates