Cross-Site Request Forgery and Capability-based Security · Curiosity is bliss

Curiosity is bliss    Archive    Feed    About    Search

Julien Couvreur's programming blog and more

Cross-Site Request Forgery and Capability-based Security

 

Chris Shiflett wrote a nice post on CSRF attacks. These attacks are not new but they remain common and digg.com was recently vulnerable to such an exploit (which would make un-willing visitors digg a story, as long as they were logged into digg.com).

This post on the digg.com flaw refers to the CSRF technique as "session riding". It's the first time that I see this name, but it's quite descriptive and it highlights that the core of this problem lies with the choice of the security model (principal-based access control).
In that security model, the authority to perform certain actions is implicit after the user is authenticated. But it's often too easy to trick the agent holding the credentials to misuse that implicit or ambient authority.

Using a formkey is just way to ensure that only a certain page has authority to POST to a certain url, which is very much in line with capability-based security.
If the capability approach and way of thinking were to become more pervasive, I believe that the web would become safer while allowing more collaboration and integration between sites. Also, using capabilities pretty much avoids the (hard) problem of building a global and distributed identity system.

I encourage you to check out the presentation by an HP research team on Google Video on topic of capabilities and authority-based access control for the web, Core Patterns for Web Permissions, by Tyler Close.

It's actually part of a whole series (4 parts), but Tyler's talk is focused on applying the concepts to the web.
The other episodes are about applying the concepts at different scopes: to the system, the programming language and the user interface:

comments powered by Disqus