Re: Cross Site Request Forgery ?

[Florian Weimer <fw () deneb enyo de>]

* Gadi Evron:

> I haven't seen this discussed before, but that may just be me.

The problem has been known since 1997 at least, and has been described
in RFC 2109 (section 4.3.5).  But browser vendors have ignored the
problem.  Today, cross-site requests are at the heart of web-based
single-sign-on solutions, for example.  There is no way that these
things are going to be fixed on the browser side, I'm afraid.

> Can anyone suggest how vulnerable nowadays pages probably
> are/aren't?

"Everything is vulnerable" is a reasonable approximation.  Notable
exceptions are Serendipity (a blogging software, AFAIK they have made
some effort to fix it) and some German online banking sites (because
they require one-time passwords for all state-changing transactions).

The web application monoculture has its revenge, I'm afraid.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.