CSRF (Was: XSS evasion)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CSRF (Was: XSS evasion)

Subject: CSRF (Was: XSS evasion)
Date: Fri, 06 Oct 2006 16:33:28 -0400
From: Chris Shiflett <suppressed>

Jonathan Vanasco wrote:
> can't a lot of this be locked down with http referrers?

Until July of this year, checking the Referer was thought to be a pretty
good safeguard against CSRF, because an attacker would have to cause a
victim to send the right Referer, which isn't so easy.

Unfortunately, Amit Klein published some research in July that
demonstrated how to do this with Flash. So, if your users use clients
that support Flash (which most do), this is not a good safeguard.

Chris

-- 
Chris Shiflett
http://shiflett.org/

Follow-Ups:
- Re: CSRF (Was: XSS evasion)
  - From: Jonathan Vanasco

References:
- XSS evasion
  - From: Clinton Gormley
- Re: XSS evasion
  - From: tomas
- Re: XSS evasion
  - From: Clinton Gormley
- Re: XSS evasion
  - From: tomas
- Re: XSS evasion
  - From: Jonathan Vanasco

Prev by Date: CSRF (Was: XSS evasion)
Next by Date: Re: CSRF (Was: XSS evasion)
Previous by thread: Re: XSS evasion
Next by thread: Re: CSRF (Was: XSS evasion)
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.