RE: [WEB SECURITY] Defeating nonce/token based CSRF protection

["Eric Rachner" <eric@xxxxxxxxxx>]

------=_NextPart_000_00E4_01C8A097.A731BE20
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit

In re.: "It is very possible to get through this protection
unless you deploy security with multiple layers of depth."

Such as...?  Once a phishing victim has mistaken www.evil.com for a trusted
application and logged in, the game is over.  There is no fancy token or
framework that can alter that fact.

- Eric

-----Original Message-----
From: Mike Duncan [mailto:Mike.Duncan@noaa.gov] 
Sent: Thursday, April 17, 2008 1:40 PM
To: Eric Rachner
Cc: 'Ory Segal'; 'Jeroen van Dongen'; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Defeating nonce/token based CSRF protection

* PGP Signed by an unverified key: 04/17/08 at 13:40:08

Phishing is only the mechanism to get the user on the site. We are
"luring" them to the evil.com site.

My point is that evil.com code could actually scrape the actual.com site
and get the contents, including the token we are discussing. Once the
user is tricked into thinking the site is legit, he/she will login and
the request is only relayed to the actual.com site via the code behind.

USER <==> EVIL.COM <==> ACTUAL.COM

Evil.com will get all the credentials and unless there is some sort of
client authentication, as Hong pointed out, the server will probably
allow it.

We are simply pointing out a weakness with token-based authentication
mechanisms. It is not that I am not agreeing with you that we are
incorporating a lot of attacks here though. I am only agreeing with the
author of the thread. It is very possible to get through this protection
unless you deploy security with multiple layers of depth.


Eric Rachner wrote:
> Mike,
> 
> As far as I can tell, the scenario you describe is one where:
> 
> a) the victim navigates to www.evil.com
> b) www.evil.com displays somebody else's content
> c) the attack is successful when the victim is duped into
>    logging in to the app via www.evil.com
> 
> Don't we have a word for that already?  (phishing)
> 
> -----Original Message-----
> From: Mike Duncan [mailto:Mike.Duncan@noaa.gov] 
> Sent: Thursday, April 17, 2008 12:57 PM
> To: Ory Segal
> Cc: Jeroen van Dongen; websecurity@webappsec.org
> Subject: Re: [WEB SECURITY] Defeating nonce/token based CSRF protection
> 
> > Old Signed by an unknown key
> 
> Ory Segal wrote:
>> Hi,
>>
>> CSRF attacks usually takes place when the victim is lured to some
>> malicious site, and then presented with HTML that causes an automated
>> request to be sent by the browser, for example using SCRIPT, or IMF
>> tags. In both cases, the browser will not allow the attacker to see the
>> responses, so he/she cannot parse them and extract the nonce as you
>> described.
> 
> They may not only have HTML, but code which executes without the user's
> knowledge. It is not out of scope to realize something like this...
> 
> * I send an email which tells users to go to a website and login for
> some reason.
> 
> * User goes to website.
> 
> * PHP code connects to actual site and gets token and even repeats page
> contents as-is from actual site. Someone could do this using cURL.
> 
> * When the user logs in, we capture the information and perform a login
> request using the token downloaded in the request to the actual site. If
> the user/pass given is correct, we store this.
> 
> In this, the PHP code is actually the client logging in -- not the user.
> Kinda like a code-in-the-middle attack. And the framework, server code,
> whatever is on the server would/could not know the difference. We look
> like a normal client/user.
> 
> I have wondered about this scenario before, as has the author of this
> thread. I would wonder how a framework could prevent this actually. Any
> ideas?
> 
>> The only possible way to do this, is by using XMLHttpRequest, and that
>> is only possible if you are operating in the same domain. A good real
>> world example for this was the SAMY worm, which originated from the
>> MySpace domain, and attacked its own users in the MySpace domain.
> 
> You are right about the limitations of the XmlHttpRequest, but I think
> what the author and I are trying to get at is beyond this. CSRF is a
> request on behalf of the actual user/site and can be performed countless
> ways.
> 
>> -Ory Segal
>>
>>
>>
>>
>> From: 	"Jeroen van Dongen" <jeroen@jkwadraat.net>
>> To: 	websecurity@webappsec.org
>> Date: 	17/04/2008 06:59 PM
>> Subject: 	[WEB SECURITY] Defeating nonce/token based CSRF protection
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>>
>> Dear,
>>
>> I'm currently reading up on CSRF defenses and a highly recommended
>> approach is to include a session-bound (or data-set bound) token in
>> forms and / or urls.
>>
>> At various places it is described as a "robust" and "nearly impossible
>> to beat" way to defend against CSRF. However, it seems to me that it
>> is (conceptually) easily beaten. Perhaps I'm wrong (hope so), but
>> let's have a go ...
>>
>> The basis of this defensive technique is that the nonce a) cannot be
>> guessed by the attacker and b) is not automatically send by the
>> browser upon request (as opposed to cookies etc.).
>> However, the nonce IS send by the server to the client upon receiving
>> a valid request. THE problem with CSRF is that the attacker is able to
>> make VALID requests to the server, impersonating the real user,
>> because the browser will happily send every required cookie,
>> authorization header etc. along.
>>
>> So if that is the case, whats to stop an attacker from first
>> requesting the target form with a GET and then submitting the form
>> with any desired values (including the freshly server-supplied and
>> thus valid nonce) just like the user would do? Perhaps implemented as
>> a flash banner running on the attackers site?
>>
>>
>> Interesting references in this case:
>> [1]
>>
>
http://www.xml.com/pub/a/2006/06/28/flashxmlhttprequest-proxy-to-the-rescue.
> html
>> [2]
> http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html
>> [3] http://blogs.zdnet.com/security/?p=946
>>
>> Regards,
>> Jeroen
>>
>>
>
----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>>
> 
> --
> Mike Duncan
> ISSO, Application Security Specialist
> Government Contractor with STG, Inc.
> NOAA :: National Climatic Data Center
> 151 Patton Ave.
> Asheville, NC 28801-5001
> mike.duncan@noaa.gov
> 828.271.4289
> 
> * Unknown Key
> * 0xA7E0F616(L)
> 
> 
>
----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 

--
Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center
151 Patton Ave.
Asheville, NC 28801-5001
mike.duncan@noaa.gov
828.271.4289

* Mike Duncan (NCDC NOAA) <mike.duncan@noaa.gov>
* 0xA7E0F616 - Unverified(L)


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


------=_NextPart_000_00E4_01C8A097.A731BE20
Content-Type: application/ms-tnef;
	name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="winmail.dat"

eJ8+IjoVAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQYABwABAAAAAAAAAQOQBgAIFgAANgAAAAsAAgABAAAAAwAmAAAA
AAALACkAAAAAAAsAKwAAAAAAAwAuAAAAAAACATEAAQAAABgAAAAAAAAABN1zFt7gGEepTJlV9AU2
iGSyMwAeAHAAAQAAADsAAABbV0VCIFNFQ1VSSVRZXSBEZWZlYXRpbmcgbm9uY2UvdG9rZW4gYmFz
ZWQgQ1NSRiBwcm90ZWN0aW9uAAACAXEAAQAAABsAAAAByKDONpzHuyIc3vNHoI0DVq++JgM0AADb
mMAACwABDgAAAAACAQoOAQAAABgAAAAAAAAABN1zFt7gGEepTJlV9AU2iMKAAAADABQOAQAAAB4A
KA4BAAAAMAAAADAwMDAwMDAyAWVyaWNAcmFjaG5lci51cwFlcmljQHJhY2huZXIudXMgKElNQVAp
AB4AKQ4BAAAAMAAAADAwMDAwMDAyAWVyaWNAcmFjaG5lci51cwFlcmljQHJhY2huZXIudXMgKElN
QVApAAIBFDoBAAAAEAAAAH8phJLKjF9NiDKjdc32mjMDAN4/n04AAAMA8T8JBAAAAwAJWQEAAAAL
AAGACCAGAAAAAADAAAAAAAAARgAAAAADhQAAAAAAAAMABYAIIAYAAAAAAMAAAAAAAABGAAAAABCF
AAAAAAAACwARgAggBgAAAAAAwAAAAAAAAEYAAAAABoUAAAAAAAADABKACCAGAAAAAADAAAAAAAAA
RgAAAAABhQAAAAAAAAsAG4AIIAYAAAAAAMAAAAAAAABGAAAAAA6FAAAAAAAAAwAegAggBgAAAAAA
wAAAAAAAAEYAAAAAGIUAAAAAAAALADaACCAGAAAAAADAAAAAAAAARgAAAACChQAAAQAAAAMA9IED
IAYAAAAAAMAAAAAAAABGAAAAAAGBAAAAAAAABQD1gQMgBgAAAAAAwAAAAAAAAEYAAAAAAoEAAAAA
AAAAAAAAAwD4gQMgBgAAAAAAwAAAAAAAAEYAAAAAEIEAAAAAAAADAPmBAyAGAAAAAADAAAAAAAAA
RgAAAAARgQAAAAAAAAsAAYIDIAYAAAAAAMAAAAAAAABGAAAAACSBAAAAAAAACwACggMgBgAAAAAA
wAAAAAAAAEYAAAAAHIEAAAAAAAALAAOCAyAGAAAAAADAAAAAAAAARgAAAAAsgQAAAAAAAAMABIID
IAYAAAAAAMAAAAAAAABGAAAAACmBAAAAAAAAAwAFggMgBgAAAAAAwAAAAAAAAEYAAAAAKoEAAAAA
AAAeAAqCAyAGAAAAAADAAAAAAAAARgAAAAAngQAAAQAAAAEAAAAAAAAAAwANggMgBgAAAAAAwAAA
AAAAAEYAAAAAEoEAAAEAAAADAA6CAyAGAAAAAADAAAAAAAAARgAAAAATgQAAAQAAAB4AEoIDIAYA
AAAAAMAAAAAAAABGAAAAACGBAAABAAAAAQAAAAAAAAALABWCAyAGAAAAAADAAAAAAAAARgAAAAAD
gQAAAAAAAAMAFoIDIAYAAAAAAMAAAAAAAABGAAAAACOBAAD///9/CwAXggMgBgAAAAAAwAAAAAAA
AEYAAAAAJoEAAAAAAAALAB8OAQAAAAIB+A8BAAAAEAAAAATdcxbe4BhHqUyZVfQFNogCAfoPAQAA
ABAAAAAE3XMW3uAYR6lMmVX0BTaIAwD+DwUAAAACAQkQAQAAAB0QAAAZEAAA0SIAAExaRnWuotUh
AwAKAHJjcGcxMjUiMgNDdGV4BUJiaf5kBAADMAEDAfcKgAKkA+T/BxMCgBBzAFAEVghVB7IRpScO
UQMBAgBjaArAc2XcdDIGAAbDEaUzBEYUN94wEqwRswjvCfc7GJ8OMHY1EaIMYGMAUAsJAWQzZjYW
0AumIEkDoBigLrA6ICJJBUAPUXYEkFB5IHBvBBBpAmBlYCB0byBnFKAfMGixA2B1Z2gfoQ9RcANg
cQ6wY3RpAiAKogqAddZuHxAEEXkIYCABAAtQ1m8ekBSQYwhxdB6QA/DhH7AgbXVsIOALUB8gzQtg
eQSQBCBvZiIiH7BsLiIhJCEkUxtQIBBhBHMuJlA/ICBPbjpjHyBhHqAgQSBAbmdnHlAN4CDgbSAU
YAQgbTsEAAGQawnwIyAo8C5l+SewbC4FoCgAAhAFwCcAuHRydSiACYAmIHALUG0N4GEg4iYgbiqA
GDBnNx9wKoALgCwfoR8gZ2GrB4AeIm8eYS4mkFQsYKsYoB4ibh9QZgBwYx6QXx9AKLIFsQNQLKF3
BbBr+x+hKwAgKvArQSOgEwEv04suQCDQLiUqLSBFBRDXAOAxejNCTwUQZwuAB0C7BdAhsWEfcDND
ISRGA2HJHdBNaSiwIEQhgDAirlsAwAMQH0A6NaIuNfRCQC4QYWEuZy0QXXcK4yXBCfB0HdAtgAhw
czZkJCAsMEEggAMRMTeTLDAB0DA4OfA6NBbQ9FBNISRUNsAyMwfwANBMaG4EkCEkQ2Md0CePM5Ae
kAZgLJBsJzs88KpKBJBvKMF2A5FEAiBFH3BuPaF3ZWIipkBXPyEqoSKhLgWwZyWGYiZqIMEd0FJl
HdBbVwRFQgYARUNVUknUVFk4IEQBEGUrASeBey4QJsEvLqRAABSQKoBDWFNSRiB/ISQqOtBH3lAG
ADOwPDAqgGIekAORvyGAHmEGkAiQKoAosHkd0GgwNC86AC86YS/xMdozOqE6OmAlKlAnNizivyGQ
LoEsYQeAFFEDAHMoAP8fRx8gKkATASsxLFIAkA6w3S1QVybhGKAhJCIKQAUQ/SeAIixCTEMsUik3
TdMlKv5NHpILgB4TL9MpNwWgAQDvU3EjkCqBINB1B0BLUQTx/yqgHyEsYVQ0UIchJCtiTJa3BaAC
MDixcywwC4BjCkD/D0AngSxSLqQ/IE5SIiAEAP8iwB7RJ4AtUCazLFEhJU0iv1JyMlEosCvyT9ML
gGtYhm9N0h4iHxAzwHQsMCxgL/8nUB8gA/BUgCuSC4ArUiEk+yxSGKBxClAogEr3GKAkEn8qgE/V
VX0noSoBV1NToWIqZSdhZDFbVUIwUiAQPD09PjIwVklMEC5DT01lpEFDVOxVQWYzJSpFKUZe8x9y
/1RxVzQYoTixBzEEICtiIYX7LFEttHMDcE2xGEEkcSEk51hACJBSQWF1LFFqMSr0+ywwKDFIPqFS
BCpxCGBeUX9NkwSQHmFe5CCBQAACYHn7VmVUgG8H4CLwMVtONE3B/m0LUFH1J3JvcSbxPyAooO88
MAQRIzMuoy1ENG18ISR/S8cmQB1gHhMuEB+SL/FJ/yYgKAB4wjRgCdEnciMzIfL/L9NZZCEkWCEF
sB6wL0BDI/8nABgwbGJI8QGQXCAEIC2T/x+wH+J4QXliSzN57FrnbXL/BbEkgVjDH8BDAGSAeFUe
b/8ffyCPIZ8iryO/JMMlKmfldzu5h2CE0jqFZGXgNaIs+4umi6ZBBCAuQCnhBCB5UP8wIg6wVIBv
pSbQM+AFEIOQ/4Y0BPJkMEr0XtEtkouXi6b8YSksQye1M+AnsCyQDrDvUoGDkCj6i6ZiklAo+w9B
7QtReWvEBuBkgtBhgBSQ7icEIFeFi6ZjklR9hGuj9xtQJtAEEGaH0JDSTXQntfkPUWR1VQBcVIum
nLErov9Kw01xYgUqsGNTk/+MyT6R/id7MxRggqB0kgWwKoApwlcv0wdAgeJ5JoEoJyYp/4x+M080
XWXgNU82Xzdvi9PDOK85vTI6NTc612Xg/ztiPReLpjzCPe8/D0AeqfF/QS9CP0NPRF+FRozYZeBP
/1QBRq108HHQA6BIIYx+PRfTizxl4EhpjGY+uye1U/99hipAVGQokoShC2Am0Zp//13xCHBhxGvi
uycAwCrRhTD/KkBNw25RK3FtkrWRB5CqIcMqcYdzSFRNTC/GTRH/aoJtYgNxKmG7J2B2g4GQQdfD
UkcCLFJiA2B3TSEsMD8pwg7ALKCIEipAJ3JTQxmzMFBULDAFsUlNRvu7JwGQZ3gytNGE4IRQKvD/
xOEsNMgVXuR5o3GzmOgwkv/AoQngWtjGQ5ZQAiDMM2vg/152MCF4wgqxFJBPdCtiDsH/L0CFECxD
tDNuYoYxuyeP5v9khozYLYGC0ADAgtB4wksz96DjxBIsMGJ0cVODkOAN4P+EUA7AhvGTgodydGJM
1peQ94umuJKDUGSDsHhKdGIkgb0E8G9VAoOQgeEq0HpsEv8HgFzCJ5Aq0KcRhHImUYx+/0ZAeVDD
USqBA6BPoKfR2OX/jnK9oiRCg4JP4YOQdKKv4P9doitlX3EpwYuma+OB4Wvg9m7fr0ZAVU0iN/CT
leO0++YvRkFIRoBThdGghQGTo/9UNF2EVsWToiiy0qOCoB2Cf1UAKwCEoTRhmDdXlSYhLe8PUQNS
6wotUFNr8ZCiU9TuZFyjvaIncmOzIGYw6K//TiC/Fk0TK6EEICwSWWEq8P8FMMBBLEMLgCnBxZEr
JlUA/nL2UnzjpPGLpmB2yWRYyP/xgLjAGDCCACvjLEPGeWIo3U3FSWyVyxFM5S8KsAQR/6Tw7RIP
UQWhGKCFEPUjKID/BbDfJYx+HXGEciw06ccPUf9UN1dDbRSc+aRweLVM9AB3/ktkYXzxpwInAFOC
70B14OUsUS0oYGRkg1F9hC1Q/kHCpC8o0MFwFFOCjGeQ4N+TcXAySwNvu1PiL1PUeML3uJIsQ1nQ
ZrOwGKAmwU4T/xgwLrCLpgblLhD2cWkAbQT+LwW7AQeg1C+AK3AtoSqB/8vA2jNrso8mZDApwcJi
feH/bnFiI4D5KHD9KIHlDQQTVf8oEHHRJwAvOFPUwyHtERQ131Q2COK5Fwgg5dE/jH3Wc/tLJIL3
d9bxg4HxhVgBAvCrRxHJZFjEMEh9kHCyYP9gk8J2KwC7J0sGgvdHwIYj/1mS3WF8hfrVNFAssfGA
4YH/5hCNYOMRlxDdw7snL4FUAR/I5qGkAuEfQBYEU0FN+lmhQm31IdkDyLCk428y9++Dz3pR4FPR
8NPRJjTCdP/OdVxR7vG4suKU+tUsvBHv9lkkZaTRaHSBFAWIMXNwj15A9pOIo/XyWG1sITv/2GJ5
UFzDCvoWGuzCeVF+Iv+CwFiDg5TEgSBCSDATcd80/7VEAuL4LvbBZDGtsIjQgVX/6xX94+PXp3KQ
Qfc1djFT0f9tQIXiCveWgTC+pFGtTrxXF0LvuzamlFyZQGIgIhuun09gPLIArrJAamutH0BkCZD2
kC51AHS8WP+tAkVTr8+w3aAxk3FFNatwkC8wNC+rszA2rCD+OaxYsblFU7Kvs7+0z7Xc/0PfpGRU
T1VfVm9XflJ/u/7vT8CNsLvfAXAnm1CHAQ7x/z+QYVKCAH/Cm7AMIlGDahD/T+DQgi2kFdAyUWFD
lfHlkP8TgcXYnhGLUIrRgmKDgXwR/8AwArFjgMThgyD2wHXwP2HddkAoyLEGsJlALYbgx4F/YsKS
UVDT+AemcPZSaoQv38oyhxBqcDC2vFhBeTCvAP8U8cIBvqP04YJT1PduYnSgtiJw0b3AdEbA7MIi
dQD/jbC+EXNxgwXKqMcC9pBGwP8fRl4SdkGTYPgAO7FRgiaQ/kgZQAuyICF5MM8xZZGDge/lkcRj
cgAiiiiXwdPQ9ZH/vfKSUOXR4aC6QGzSr4AmkH5QrqAV4LDQW+OLQX/RKHc3YN1xwMAp2EO7J4NQ
dP+XkaDl4yHfiEg5x+JyoTPl32kDXiL+kY5hiuFpO4FhI782ttOlklDRhTmAuydnO5H/UULHpc53
7MKVMdxlxVWbEP+98+Dzx6S7J8zGm7D2wTtm/iiN4d1gHrHAZP8QUNAEAHcC8N6AsQApdzdu6NNo
Sf5TgFoMlp2lA+WCJdPQ/pB/ozFgGK7xA/AnAjuDJpBU/EhFUcIfAXQhw9I6VnrnP853AuIfApwn
wXKnEVZB+ExJRDtW6sMMaCAhyRD/4rH2wFAE+wQ9NVrXOXHEs//MfxXRsMBywuDzC7JcsjuA/mnA
UoPkkwg3NN4Q9pT2AP/6gcjBhHHNwa9Rdz/wkSQS/3B0KYTMEipy7ZLAkuLwXWD3xSLOhu+DZpag
/9DF7vlHH1qwOOL3Y8PD44BHRVT7woi90GIzYZHn9lInaKET/xwQaSKWo4pRO5FjAGGUorf/wzFf
IgykY5CIwCiQBADhIr/F2MPgwgGKVIYjZDBqamHv3ub0RRhk8YA/c3drcYvB98NkadCJqWa+sNFA
URHqcf0KgHI/cHpQUDEMNc52whT/HQZZfwFx66DDMVATDvAO1Y8vRf7iUTG7GFsxXbDtQxXQIUE6
Ly93tmAuOng0gC5fgf4gTgAvYY1MgjZMULewMjgvrbOXtqG18jtlLVHReHkHwP5vB8PDMUmw6Igy
cDSAtDjuMrTmtepKKy8D8JAhtlA7SXi3UHJ6MP6Rt3MtMJtMQGWQZ0ygTOA5Lrs8HjNPoLX1HwD0
wS56ZAdIAbbTvtc/cD05NM42sO8hcEIwcmQgEITH/0W0sG/gRVd/yW/Kf8uPWA4dxnBv5JFoMfbB
SVJDf0UwlqCEgKZxRzACoUfyIPYjSifEb0h2hJ909sCrgP9CEL9iHhMPYEWAQhBJtCygu+GRUCJM
vlFnoL90c7Qof7y/vc++19BvTfFpVGfQabHjgFJTU9Vf1m8v4sB9vosu3PFOwNqRROBvwGSvtO61
Z8fo6SZNBvJEP3DXPkESd9qgT/UgQaeCPkB/9qPTdyzQ/1DaYNeC6SZH+m8M0W6sclFw7qEJkP9g
4xahoQNTVEf1IAGAhIBR6SZOT0EmsDpFME579pMRAUMzQX/SS3IHMEPFrIJy8zYxNTECQAiB7fbB
QQzQBfdBpqAasJTxERWBTkMguAA4MDF0LTVMoDHzNggQr8AuWmTh00CGIEfALibQdgXzNji4AC4y
NzEuyjS4ADnyvyBVNgAOIQ320Es5kPF4MHhBNwBFMEY2MTYoTP4pEf7H7/Y/90/4X8wv9UX/zb/O
z8/e4EfRf9KP05/Uqv/gR9tv1w/YHuBH2b8CjwOf/9zv3f/0b/Vw9TRYZuF/4q//47/kx+V/5o/n
lug/6U/qV//rD/VS7H/ti+5/74fwPw1F7/HwDjljABlARBlQFJJkMP48Gn/vgVn180r1oPIBkQH/
JCCnsfQHDPwj7yT/Jg8nH/9YKvr//A/P3fU0/q//vwDP/wHf9XAIjwQ/2B31NAbfME8vCR8KLws/
DUV9OgAAAAADAA00/T+lBgMADzT9P6UGAgEUNAEAAAAQAAAATklUQfm/uAEAqgA32W4AAAIBfwAB
AAAAMQAAADAwMDAwMDAwMDRERDczMTZERUUwMTg0N0E5NEM5OTU1RjQwNTM2ODhBNEIyMzMwMAAA
AAADAAYQeWIR9gMABxALFwAAAwAQEAAAAAADABEQAQAAAB4ACBABAAAAZQAAAElOUkU6IklUSVNW
RVJZUE9TU0lCTEVUT0dFVFRIUk9VR0hUSElTUFJPVEVDVElPTlVOTEVTU1lPVURFUExPWVNFQ1VS
SVRZV0lUSE1VTFRJUExFTEFZRVJTT0ZERVBUSCJTVUMAAAAAhN8=


------=_NextPart_000_00E4_01C8A097.A731BE20
Content-Type: text/plain; charset=us-ascii

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
------=_NextPart_000_00E4_01C8A097.A731BE20--