WebApp Sec mailing list archives
Re: IE cookie menagment and CSRF
From: Saqib.N.Ali () seagate com
Date: Fri, 20 Aug 2004 21:01:22 -0700
Hello, I think I.E. by default DOES NOT allow modifying 3rd party cookie (i.e cookies from other sites). But you can check this setting on your browser by going in to I.E. -> Tools -> Internet Options -> Privacy (TAB) -> Advance (Button) While POST is a good way of protecting form, but it does not guarantee that your form is secure. Thanks. Saqib Ali http://validate.sf.net lazy <lazy () gwsh gda pl> wrote on 08/20/2004 07:04:25 AM:
Hi All, Recently while toying with CSRF XSS I found out that when I place sth.
like
<img src=”domainB/logout.php”> on domainA IE(6.0.2800.1106.xpsp2.030422-1633) sends cookies from siteB. and Mozilla 1.7.2 don't. Thins means that some web page on domainA can force any GET request as previously authorized user on domainB. (imaginary scenario) 1)user logs on e-bay 2)wants to buy a book from attacker 3)attacker makes a webpage „See what I sell on ebay” with <img src=”http://ebay.com/bid.cgi?item=34345&price=99999”> and links it to the auction 4)when user views his page he not wilingly bids 999999$ on an item I think that Mozilla does right not sending cookies because domains of the cookies should apply to originating html document if it's an image not a link. Am i right ? What do You thing about it ? Is it a bug or it's ok and we should use only POST methods for important forms? -- Lazy
Current thread:
- IE cookie menagment and CSRF lazy (Aug 20)
- Re: IE cookie menagment and CSRF Saqib . N . Ali (Aug 21)
- Re: IE cookie menagment and CSRF lazy (Aug 21)
- Re: IE cookie menagment and CSRF Saqib . N . Ali (Aug 22)
- Re: IE cookie menagment and CSRF lazy (Aug 21)
- Message not available
- Re: IE cookie menagment and CSRF lazy (Aug 22)
- Re: IE cookie menagment and CSRF Finite (Aug 22)
- Re: IE cookie menagment and CSRF lazy (Aug 22)
- Re: IE cookie menagment and CSRF Saqib . N . Ali (Aug 21)