[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ
- From: bugtraq@xxxxxxxxxxxxxxx
- Subject: Re: [WEB SECURITY] Announcement: The Cross-site Request Forgery FAQ
- Date: Tue, 16 Jan 2007 13:53:53 -0500 (EST)
> > Can applications using only POST be vulnerable?
>
> Of course they can, because plain JavaScript can POST forms to whatever
> address you want.
I replied to another email pointing this out as well. Again stupid mistake on my part :)
> > What can I do to protect my own applications?
>
> In days of MHTML and FLASH crossdomain nonsense Tokens are not really a
> protection anymore. If an application wants to be CSRF safe, it has to
> use (i)TAN, CAPTCHA, Verification Emails or similar techniques. Or
> simply ask the user for every form he posts for his password. (Of course
> with password fields that cannot be saved in the browsers)
If you provide the user with a token that changes on per request basis and expires after being used
how can this be defeated? Prompting the user per action would also halt this action and has been added to the document
as an additional solution.
Thanks for the feedback.
- Robert
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|