Re: CSRF (Was: XSS evasion)

2006-10-17 Thread Jonathan
Sorry for the OT ness of this thread--- I spent the better part of the past 2 days trying to do a 1pass content filtering on xss attacks-- including flash. breaking down every piece of user input 2x wasn't nice on my server load. I liked HTML::TagFilter, but it was making broken tags and I

Re: CSRF (Was: XSS evasion)

2006-10-15 Thread Jonathan Vanasco
On Oct 6, 2006, at 4:33 PM, Chris Shiflett wrote: Jonathan Vanasco wrote: can't a lot of this be locked down with http referrers? Until July of this year, checking the Referer was thought to be a pretty good safeguard against CSRF, because an attacker would have to cause a victim to send

Re: CSRF (Was: XSS evasion)

2006-10-09 Thread Chris Shiflett
Jonathan Vanasco wrote: > > Unfortunately, Amit Klein published some research in July that > > demonstrated how to do this with Flash. So, if your users use > > clients that support Flash (which most do), this is not a good > > safeguard. > > Do you have a link to that? http://webappsec.org/lists

Re: CSRF (Was: XSS evasion)

2006-10-06 Thread Jonathan Vanasco
On Oct 6, 2006, at 4:33 PM, Chris Shiflett wrote: Until July of this year, checking the Referer was thought to be a pretty good safeguard against CSRF, because an attacker would have to cause a victim to send the right Referer, which isn't so easy. Unfortunately, Amit Klein published some re

CSRF (Was: XSS evasion)

2006-10-06 Thread Chris Shiflett
Jonathan Vanasco wrote: > can't a lot of this be locked down with http referrers? Until July of this year, checking the Referer was thought to be a pretty good safeguard against CSRF, because an attacker would have to cause a victim to send the right Referer, which isn't so easy. Unfortunately, A

CSRF (Was: XSS evasion)

2006-10-06 Thread Chris Shiflett
Clinton Gormley wrote: > Really good article, Chris: > http://shiflett.org/articles/security-corner-dec2004 > > I really like the solution of using tokens. Thanks! :-) It's worth noting that this safeguard is rendered ineffective if you have XSS vulnerabilities, thanks to Ajax. Malicious JavaScr

CSRF (Was: XSS evasion)

2006-10-06 Thread Chris Shiflett
Clinton Gormley wrote: > 3) Instead of serving the image, the server at www.malicious-site.com > issues a 302 HTTP Status code which redirects Joe Bloggs to > http://my.website.com/change_password?new_password=abcde > > So his password gets changed, because this is coming from a live > session, th