funsec mailing list archives
Re: Cross Site Request Forgery ?
From: Florian Weimer <fw () deneb enyo de>
Date: Sun, 08 Jan 2006 17:03:15 +0100
* Gadi Evron:
I haven't seen this discussed before, but that may just be me.
The problem has been known since 1997 at least, and has been described in RFC 2109 (section 4.3.5). But browser vendors have ignored the problem. Today, cross-site requests are at the heart of web-based single-sign-on solutions, for example. There is no way that these things are going to be fixed on the browser side, I'm afraid.
Can anyone suggest how vulnerable nowadays pages probably are/aren't?
"Everything is vulnerable" is a reasonable approximation. Notable exceptions are Serendipity (a blogging software, AFAIK they have made some effort to fix it) and some German online banking sites (because they require one-time passwords for all state-changing transactions). The web application monoculture has its revenge, I'm afraid. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Cross Site Request Forgery ? Gadi Evron (Jan 08)
- Re: Cross Site Request Forgery ? Florian Weimer (Jan 08)