On Sep 30, 2008, at 11:13 PM, Aristotle Pagaltzis wrote:
* Ashley [EMAIL PROTECTED] [2008-09-30 19:30]:
If scripting is involved that makes it a XSS attack instead,
though. No?
No.
Yeah, that was unclear. I was talking about our own sites
and Cat apps, not the web at large. It was in that
Nope.
On Sep 30, 2008, at 11:57 PM, Ashley wrote:
Might be pretty simple in Cat stuff. The crux of the POST
issue seems that the target site's cookies are still safe
from the attacking site's POST.
...
Form template:
form action=[% c.request.uri() %] method=post
[% USE Digest.SHA1 -%]
input
Am 01.10.2008 um 08:57 schrieb Ashley:
On Sep 30, 2008, at 11:13 PM, Aristotle Pagaltzis wrote:
* Ashley [EMAIL PROTECTED] [2008-09-30 19:30]:
If scripting is involved that makes it a XSS attack instead,
though. No?
No.
Yeah, that was unclear. I was talking about our own sites
and Cat
On Wed, Oct 1, 2008 at 12:19 AM, Ashley [EMAIL PROTECTED] wrote:
Form template:
form action=[% c.request.uri() %] method=post
[% USE Digest.SHA1 -%]
input type=hidden value=csrf_check value=[% c.sessionid | sha1_hex
%] /
/form
On my personal site I do similar to this, but using jQuery to
Am 01.10.2008 um 12:20 schrieb Aristotle Pagaltzis:
* Moritz Onken [EMAIL PROTECTED] [2008-10-01 09:25]:
The best way is to include a random string which has to be
stored somewhere for comparison on the server side.
Doesn’t have to be stored. Send a random string as well as a HMAC
digest of
* On Wed, Oct 01 2008, Moritz Onken wrote:
I imagine a case where the attacker's site opens a iframe to your
site which exploits a XSS issue and can send the hole form
information back to the attacker's site. He has now the HMAC and
the random string.
I was under the impression that you could
Am 01.10.2008 um 14:20 schrieb Jonathan Rockway:
* On Wed, Oct 01 2008, Moritz Onken wrote:
I imagine a case where the attacker's site opens a iframe to your
site which exploits a XSS issue and can send the hole form
information back to the attacker's site. He has now the HMAC and
the random
Am 01.10.2008 um 16:23 schrieb Aristotle Pagaltzis:
* Moritz Onken [EMAIL PROTECTED] [2008-10-01 12:55]:
but this does still rely on the fact that there is no XSS issue
on your page, doesn't it?
So what? If your site has an XSS hole, it’s already game over.
The attacker can inject
On Wed, Oct 01, 2008 at 12:20:04PM +0200, Aristotle Pagaltzis wrote:
* Moritz Onken [EMAIL PROTECTED] [2008-10-01 09:25]:
The best way is to include a random string which has to be
stored somewhere for comparison on the server side.
Doesn’t have to be stored. Send a random string as well
