NYCPHP Meetup

NYPHP.org

[nycphp-talk] Better Way to Secure HTML Forms with Hash Tokens?

Michael B Allen ioplex at gmail.com
Tue Jun 24 00:08:40 EDT 2014


Hey,

I've always used hash tokens in forms to sanity check POST requests.
Meaning a random hash is generated on the server which is both stored
in the session and emitted in a hidden field in the form so that when
the form is submitted the server can remove it from the session and
check it against the hash sumbitted with the form. If the client
doesn't submit the one-time-token, there is no action taken.

Just from Googling around it seems that this is fairly common, if not
standard practice (Windows calls them "AntiForgeryToken"s). I found
one claim that this actually thwarts CSRF and XSS although it seems to
me that an attacker could use an async request to get a valid token
before it submits the CSRF request. So I'm wondering if there is a
better way.

Specifically, my question is, is there anything about the legitimate
request that would be reproducably different from the attacker's
request (even though it was from the same browser instance - just not
a page generated by the legit site) that could then be factored into
the hash on the server?

So does anyone have a clever technique they want to share (perhaps privately)?

Mike

-- 
Michael B Allen
http://www.ioplex.com/


More information about the talk mailing list