Re: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ

[bugtraq@xxxxxxxxxxxxxxx]

> Overall, it's a nice overview of the topic. I have the following complaints,
> though:
> 
> The section on POST is inaccurate when it says that an attack performed
> while visiting site A against site B is limited to GET only. An attacker can
> construct a form using the POST method on A which posts to B and

For some reason this obvious use case slipped my mind. Shortly before recieving your email I updated this document.     
Stupid mistake on my part.


> Also, the "what can I do to protect myself" topic is totally defeatist.
> Using Firefox, disabling image loading from third-party sites, and using
> noscript and flashblock headers can actually defeat a large number of XSRF
> attacks. As a user of a site, destroying any active session or

The problem is that CSRF can still be performed through various methods other than through your web browser
as outlined under "Is this vulnerability limited to browsers?"

- Robert


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]