Full Disclosure mailing list archives
Re: Full-Disclosure Digest, Vol 34, Issue 31
From: "Kristian Erik Hermansen" <kristian.hermansen () gmail com>
Date: Wed, 12 Dec 2007 23:41:57 -0800
On Dec 12, 2007 9:01 PM, "Andrew A" <gluttony () gmail com> wrote:
Actually, the suggested prevention tactic is to create a post variable in your form of type "hidden" with a securely generated one-time ticket that an attacker would not be able to scrape without performing an xmlhttp call, therefore signalling a (real) security problem with the app in question. Requiring the user to re-input their login credentials for every database write would be absolutely ridiculous from both a design and security perspective. But then again, you must know all this with your extensive experience in web app security and development.
Yeah dude, we would call that a nonce. Your definition is fine too though... -- Kristian Erik Hermansen "I have no special talent. I am only passionately curious." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-Disclosure Digest, Vol 34, Issue 31 Kristian Erik Hermansen (Dec 12)
- <Possible follow-ups>
- Re: Full-Disclosure Digest, Vol 34, Issue 31 Kristian Erik Hermansen (Dec 13)
- Re: Full-Disclosure Digest, Vol 34, Issue 31 Andrew A (Dec 13)