[WEB SECURITY] Re: Suggestions for the CSRF FAQ

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

On 1/28/07, bugtraq@xxxxxxxxxxxxxxx <bugtraq@xxxxxxxxxxxxxxx> wrote:
> You also need to consider sites not requiring you to login to use certain site functionality. Example 'email a friend',
> filling out a contact form, posting to a bbs or forum. Not all sites will require you to be authed to perform these functions
> which is why I say there is no generic solution.

How much of an advantage does CSRF offer an attacker for such
applications?  If the browser hasn't authenticated to the site, the
attacker could just send the requests themselves.  Actually, the
attacker does get some advantage from CSRF in such respects: they get
to send HTTP requests from the user's IP address instead of their own.
That could matter particularly when the user is on a trusted
intranet.

> I references IsecPartners paper on the various session/token methods since they have the tradeoffs
> already.

Ah ha.  I should have followed the links from your doc.

Cheers,
Brian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]