> I'm looking for thoughts on CSRF attacks that result in forged headers from > the victim user to the target site. Are there modern attacks that work here? > If not, could we implement a CSRF protection that uses a custom header and > avoid the cost of computing random numbers?
The only thing that undermines this approach is that there's a fairly steady stream of plugin implementation bugs that make header injection easy (XMLHttpRequest implementation bugs seem to be dying off). They usually (not always!) require you to be SOP with the attacked domain, so theoretically no problem - but if you can also tweak "Host", it becomes a problem on systems with multiple virtual servers on a single IP, one of them controlled by a rogue party or just vulnerable to XSS. In any case... I am willing to say that this is a reasonably robust XSRF defense in most cases, but you have to keep this extra likelihood of breakage in mind. /mz _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
