On Feb 28, 2008, at 4:56 PM, Wade Preston Shearer wrote:
You defeat the purpose of CSRF by going outside the domain to use the
script. CSRF attacks go after already applied authentication by
using it
against the user (using their security auth to do something
malicious ).
I wasn't referring to CSRF. I was showing how the shopping cart/
MySpace example wasn't a valid reason against using REQUEST as the
hacker can fake-post to the shopping cart just as east as he can
fake-get to the shopping cart, both without user interaction.
Sure, a hacker can fake-GET or fake-POST and guess at the credentials.
But in a CSRF, the hacker causes the user's browser to do a GET WITH
the user's own cookies, which may mean the user is authenticated.
Correct me if I'm wrong, but the hacker cannot force the browser to do
a POST, WITH the users cookies for that domain, without user
intervention.
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
