Does Arachni support session long anti-CSRF tokens

Steven Phillips's Avatar

Steven Phillips

17 Jul, 2017 01:57 PM

Hi Tasos,

First let me thank you again for the nested cookies feature, its working perfectly - you closed the other thread before I could feedback on my larger tests which have found some problems that I would never have found without this feature, so thanks again!

I have one remaining issue that I'm not making any progress on and that's with the anti-CSRF check. I have a randomly generated 32 byte hex string which is generated once per session (not the most secure but I believe still deemed adequate and about the best I can do without severely compromising performance or usability, or probably both) and Arachni is claiming all but one form as being susceptible to CSRF attacks.

So I've created a simple test harness which has a 'home' page with a link to a simple 'Set name' page using a session variable to store the 32 byte random anti-CSRF token - this site reportedly works fine with no issues (only running csrf check). If I then duplicate the 'Set name' page (i.e. just copy to a new file name) so the home page has 2 link, one to each page that does exactly the same thing I then trigger a CSRF error for one of them but not the other.

The CSRF check reports the Vector information as:

name 
mems   Save changes 
sk         608da8d8d0dffcd696696d6e41d44613e

The 'sk' input is the anti-csrf token and I've tried renaming the input to 'csrf_token' but nothing I've tried avoids the 2nd page triggering a CSRF issue.

Is a session long anti-CSRF token still considered an acceptable security measure? Does Arachni support session long CSRF tokens? If so what am I doing wrong?

I can send you the test harness if it would help.

Thanks,

Steve

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac