On Thursday 19 March 2009 08:53:06 Thomas Guettler wrote: > The CSRF middleware inserts a hidden input element in every form. > > Since GET Requests are mostly readonly, the bad guy needs a POST > request to do some evil. > > If the bad guy can make a POST request > with the user's browser, the bad guy might make a GET request with > javascript first , read the hidden input element and use the value > for the evil POST request.
How could an attacker read the input element from the context of another web page? Certainly they can read it if the javascript is running in the context of the same web site, but then you are talking about XSS, not CRSF. Can you demonstrate a method of getting around the CsrfMiddleware that actually works? > I just read this: > > http://en.wikipedia.org/wiki/Cross-site_request_forgery > > Maybe HTTP-Referer checking is a better solution. Referer checking won't work if the referer header is not sent, and some people turn it off, and the attacker can suppress it using FTP or HTTPS urls. Luke -- "Oh, look. I appear to be lying at the bottom of a very deep, dark hole. That seems a familiar concept. What does it remind me of? Ah, I remember. Life." (Marvin the paranoid android) Luke Plant || http://lukeplant.me.uk/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
