Comments on: Report and Case Study on CSRF http://ajaxian.com/archives/csrf-report Cleaning up the web with Ajax Thu, 09 Feb 2012 06:55:33 +0000 hourly 1 http://wordpress.org/?v=3.2 By: stim http://ajaxian.com/archives/csrf-report/comment-page-1#comment-267805 stim Wed, 01 Oct 2008 16:58:47 +0000 http://ajaxian.com/?p=4631#comment-267805 I wonder how the provided solution will work. All I can see is that the attack is delayed a bit, the attacker needs the client to pick up the token first, before issueing the attack. That is, create two CSRF to inflict one. This provideds no security at all. (Or am I missing something?) The only solution I can think of (also proposed in the article about clickjacking) is to allow the pickup of the tokens only after the user proves he's not a machine. Captcha's and the like on every action. Although that will be to intrusive. I wonder how the provided solution will work. All I can see is that the attack is delayed a bit, the attacker needs the client to pick up the token first, before issueing the attack. That is, create two CSRF to inflict one.
This provideds no security at all. (Or am I missing something?)

The only solution I can think of (also proposed in the article about clickjacking) is to allow the pickup of the tokens only after the user proves he’s not a machine. Captcha’s and the like on every action. Although that will be to intrusive.

]]>