Re: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ

[Stefan Esser <sesser@xxxxxxxxxxxxxxxx>]

>  URL: The Cross-site Request Forgery FAQ 
>  http://www.cgisecurity.com/articles/csrf-faq.shtml 
>   
Uhmm, this FAQ is simply wrong in many points.


      > Can applications using only POST be vulnerable?

Of course they can, because plain JavaScript can POST forms to whatever
address you want.
The whole same page AJAX, browser component stuff has nothing todo with
XSRF. These attacks are Cross Site Scripting Attacks that remote control
the browser.
This are not CROSS SITE REQUEST FORGERY. CSRF Attacks are only those
that directly issue attacks against a site, without exploiting the same
origin policy.


      > Can CSRF be prevented by implementing referrer checking?


XMLHTTP is not the reason for referrer checking beeing useless, because
XMLHTTP can only be used in XSS situations and in that case you do not
need XMLHTTP to fake referers. You can do the same with IFRAMEs.


      > What can I do to protect my own applications?

In days of MHTML and FLASH crossdomain nonsense Tokens are not really a
protection anymore. If an application wants to be CSRF safe, it has to
use (i)TAN, CAPTCHA, Verification Emails or similar techniques. Or
simply ask the user for every form he posts for his password. (Of course
with password fields that cannot be saved in the browsers)

Stefan Esser


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]