Jump to content


Check out our Community Blogs

visionviper

Member Since 25 Sep 2011
Offline Last Active Dec 15 2011 11:31 AM
-----

Posts I've Made

In Topic: Getting input from user

25 September 2011 - 12:40 PM

What language? Or are you just making a shell script?

In Topic: Preventing Session Hijacking, CSRF

25 September 2011 - 12:37 PM

First thing is to be certain to prevent against xss.
Everything should be sanitize, strip the html of every user input, and if you need the html, you should check it with a script like htmlpurifier or PHPIDS

Than I use two session cookie and I check for the browser name & version before loading the session.

And each time I print a form, I create a special uniq id in a array in a session with the page where the form will take the user and an expired time. And I echo the id inside an input hidden.
The reason I put it in a array, is because of the tabs/windows. A user could load many time the form in multiple windows/tabs and it will still work.
And when the uniq id is used, I delete it from the session. So this can prevent double post too (2 good thing in one)

If you are using zend framework, you could use built-in function, for more info take a look at How to CSRF protect all your forms | CodeUtopia - The blog of Jani Hartikainen

And if you ever find a way to protect more, post it here, I will be happy know about new way to protect myself


So if I just updated my original idea for CSRF prevention to include a list of valid IDs then that should take care of it, right?

In Topic: Preventing Session Hijacking, CSRF

25 September 2011 - 12:22 PM

First thing is to be certain to prevent against xss.
Everything should be sanitize, strip the html of every user input, and if you need the html, you should check it with a script like htmlpurifier or PHPIDS

Than I use two session cookie and I check for the browser name & version before loading the session.

And each time I print a form, I create a special uniq id in a array in a session with the page where the form will take the user and an expired time. And I echo the id inside an input hidden.
The reason I put it in a array, is because of the tabs/windows. A user could load many time the form in multiple windows/tabs and it will still work.
And when the uniq id is used, I delete it from the session. So this can prevent double post too (2 good thing in one)

If you are using zend framework, you could use built-in function, for more info take a look at How to CSRF protect all your forms | CodeUtopia - The blog of Jani Hartikainen

And if you ever find a way to protect more, post it here, I will be happy know about new way to protect myself


So basically if I just extended my existing idea for preventing CSRF attacks to keep track of more than just a single unique value then that should do it? (with correct application of course).

In Topic: Preventing Session Hijacking, CSRF

25 September 2011 - 09:09 AM

your method is good, but have a flaw.
If the user send 1 request, and before receiving the response he send a other request (via a other tabs), your protection will flag this as a session hijack.

And you should store thoses variable into session variable. Since you will always need them, and they don't need to be stored after the session is ended.

Me, I like to use the browser info as an additionnal information. Since the same session can't be use in firefox and chrome at the same time, it's a little plus as security. But beware, don't use the whole browser identification string, since on firefox, when firebug is activated the browser id change.

And if you are on a shared browser, you should think to move the directory for your session, or maybe use a mysql session for storing your session


I didn't even think about different tabs/windows. Can you give me a little more info about how you prevent a CSRF in your PHP applications?

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download