Re: CSRF (Was: XSS evasion)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CSRF (Was: XSS evasion)

Subject: Re: CSRF (Was: XSS evasion)
Date: Fri, 6 Oct 2006 17:47:21 -0400
From: Jonathan Vanasco <suppressed>


On Oct 6, 2006, at 4:33 PM, Chris Shiflett wrote:

Until July of this year, checking the Referer was thought to be apretty

good safeguard against CSRF, because an attacker would have to cause a
victim to send the right Referer, which isn't so easy.

Unfortunately, Amit Klein published some research in July that
demonstrated how to do this with Flash. So, if your users use clients
that support Flash (which most do), this is not a good safeguard.


Do you have a link to that?

A friend was having issues with flash & referrers recently. I thinkeveryone but safari may have stripped it out.

References:
- XSS evasion
  - From: Clinton Gormley
- Re: XSS evasion
  - From: tomas
- Re: XSS evasion
  - From: Clinton Gormley
- Re: XSS evasion
  - From: tomas
- Re: XSS evasion
  - From: Jonathan Vanasco
- CSRF (Was: XSS evasion)
  - From: Chris Shiflett

Prev by Date: CSRF (Was: XSS evasion)
Next by Date: what's the best way to share variables between main script and template files
Previous by thread: CSRF (Was: XSS evasion)
Next by thread: CSRF (Was: XSS evasion)
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.