[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ

From: "James Landis" <jcl24@xxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ
Date: Tue, 16 Jan 2007 13:31:43 -0500

------=_Part_94321_11389066.1168972303165
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Overall, it's a nice overview of the topic. I have the following complaints,
though:

The section on POST is inaccurate when it says that an attack performed
while visiting site A against site B is limited to GET only. An attacker can
construct a form using the POST method on A which posts to B and
automatically submit it using JavaScript. The attacker can also use a Flash
object hoping that the target has an older version of the Flash player
installed or the target site has weaknesses in their crossdomain.xmlpermissions.

Also, the "what can I do to protect myself" topic is totally defeatist.
Using Firefox, disabling image loading from third-party sites, and using
noscript and flashblock headers can actually defeat a large number of XSRF
attacks. As a user of a site, destroying any active session or
authentication data related to that site and confining browsing to just that
site during the life of the session will also provide totally adequate
protection. Some call this issue "Session Riding" due to the fact that the
attacks ride on existing authentication creds. If you manage those
appropriately, you're safe.

Thanks for publishing this!
-j

On 1/16/07, bugtraq@cgisecurity.net <bugtraq@cgisecurity.net> wrote:
>
> The Cross-site Request Forgery FAQ has been released to address some of
> the common
> questions and misconceptions regarding this commonly misunderstood web
> flaw.
>
> URL: The Cross-site Request Forgery FAQ
> http://www.cgisecurity.com/articles/csrf-faq.shtml
>
>
> Regards,
>
> - Robert
> admin_@_cgisecurity_com
> http://www.cgisecurity.com/
> http://www.qasec.com/
> http://www.webappsec.org/
>
>
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

------=_Part_94321_11389066.1168972303165
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Overall, it&#39;s a nice overview of the topic. I have the following complaints, though:<br><br>The section on POST is inaccurate when it says that an attack performed while visiting site A against site B is limited to GET only. An attacker can construct a form using the POST method on A which posts to B and automatically submit it using JavaScript. The attacker can also use a Flash object hoping that the target has an older version of the Flash player installed or the target site has weaknesses in their 
crossdomain.xml permissions.<br><br>Also, the &quot;what can I do to protect myself&quot; topic is totally defeatist. Using Firefox, disabling image loading from third-party sites, and using noscript and flashblock headers can actually defeat a large number of XSRF attacks. As a user of a site, destroying any active session or authentication data related to that site and confining browsing to just that site during the life of the session will also provide totally adequate protection. Some call this issue &quot;Session Riding&quot; due to the fact that the attacks ride on existing authentication creds. If you manage those appropriately, you&#39;re safe.
<br><br>Thanks for publishing this!<br>-j<br><br><div><span class="gmail_quote">On 1/16/07, <b class="gmail_sendername"><a href="mailto:bugtraq@cgisecurity.net";>bugtraq@cgisecurity.net</a></b> &lt;<a href="mailto:bugtraq@cgisecurity.net";>
bugtraq@cgisecurity.net</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> The Cross-site Request Forgery FAQ has been released to address some of the common
<br> questions and misconceptions regarding this commonly misunderstood web flaw.<br><br> URL: The Cross-site Request Forgery FAQ<br> <a href="http://www.cgisecurity.com/articles/csrf-faq.shtml";>http://www.cgisecurity.com/articles/csrf-faq.shtml
</a><br><br><br> Regards,<br><br> - Robert<br> admin_@_cgisecurity_com<br> <a href="http://www.cgisecurity.com/";>http://www.cgisecurity.com/</a><br> <a href="http://www.qasec.com/";>http://www.qasec.com/</a><br> <a href="http://www.webappsec.org/";>
http://www.webappsec.org/</a><br><br><br><br>----------------------------------------------------------------------------<br>The Web Security Mailing List:<br><a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/
</a><br><br>The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/archive/";>http://www.webappsec.org/lists/websecurity/archive/</a><br><a href="http://www.webappsec.org/rss/websecurity.rss";>
http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div><br>

------=_Part_94321_11389066.1168972303165--

Follow-Ups:
- Re: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ
  - From: bugtraq

References:
- [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ
  - From: bugtraq

Prev by Date: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ
Next by Date: Re: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ
Previous by thread: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ
Next by thread: Re: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site