Re: [WEB SECURITY] Re: Suggestions for the CSRF FAQ

[bugtraq@xxxxxxxxxxxxxxx]

> > You also need to consider sites not requiring you to login to use certain site functionality. Example 'email a friend',
> > filling out a contact form, posting to a bbs or forum. Not all sites will require you to be authed to perform these functions
> > which is why I say there is no generic solution.
> 
> How much of an advantage does CSRF offer an attacker for such
> applications?  If the browser hasn't authenticated to the site, the
> attacker could just send the requests themselves.  Actually, the
> attacker does get some advantage from CSRF in such respects: they get
> to send HTTP requests from the user's IP address instead of their own.

Exactly.


>  That could matter particularly when the user is on a trusted
> intranet.
> 
> > I references IsecPartners paper on the various session/token methods since they have the tradeoffs
> > already.
> 
> Ah ha.  I should have followed the links from your doc.


:)

- Robert
http://www.cgisecurity.com/ Application Security news, and more
http://www.cgisecurity.com/index.rss [Subscribe]

> Cheers,
> Brian
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]