Random string in URL helpful against "Man in the Middle Attack"?

1
votes

Here's the scenario:

On every non-shopping-cart page a new md5(rand()) session variable is generated. This variable is then inserted into the url for shopping cart links. Clicking the cart link would be the point at which a user is transferred from http to https so I understand that this is a crucial transaction to secure in order to prevent a man in the middle from injecting himself between the server and the user.

In order to access the shopping cart the current session variable must match the string in the url (eg "/shopping_car_url/{random_string}/"), otherwise a 404 error is sent.

  1. Should this be effective as long as the session is not compromised?
  2. Would using a POST variable (or the same or different random strings in both session and post) be as or more effective (or ineffective)?
  3. If this is effective, is there any benefit to doing the same thing through the rest of the cart editing / checkout process or would this be pointless since the user is already connected to SSL at this point?
2
phpsecuritysslman-in-the-middle
How do you plan to indentify which value generated with md5(rand()) is supposed to be accepted / avoided? - samayo
And what is the presence of that slug supposed to prove? A man in the middle would have no problem intercepting the slug when it's sent over HTTP. - user149341
@PHP Newb, the session variable would be overwritten if page was not "shopping cart". On shopping cart page it would test that the url matched it then would be overwritten. - irregularexpressions
@duskwuff, I guess the only thing it's doing is forcing the man in the middle to set a session variable to a value he intercepts via http. Can a session variable be set so easily by a malicious user that this is not useful? - irregularexpressions

2 Answers

2
votes

What you're trying to protect yourself against here is CSRF (Cross Site Request Forgery) and not MITM.

Once you switch to https a MITM attack is virtually impossible and adding items to a cart typically doesn't require CSRF protection (unlike the payment action itself). Make sure to also read XSS & CSRF: Practical explotation of post-authentication vulnerabilities.

However, if a malicious person manages to position themselves in between the user and your site before you switch to https, they would be able to rewrite your shop links as well, but without using https; it would then be up to your users to be vigilant about the lock icon in the address bar.

2
votes

Don't bother with it. Keep your URLs simple and straightforward; your customers will be much happier. If you're using SSL correctly, you are protected against the vast majority of transport-layer man-in-the-middle attacks.