RE: Blind cross-domain POST/GET requests

[Andrew Moise <chops () demiurgestudios com>]

On Wed, 2004-12-01 at 14:18 -0500, Scovetta, Michael V wrote:
> Unless I'm missing something, which is quite possible...

  I think you are :-).  It's pretty trivial to get your victim to load a
particular URL; I don't think of allowing <img src="foo"> as an XSS
vulnerability.  However, if "foo" is a URL which has side effects, then
your victim will access the script and cause those side effects, with
any cookies/certificates/whatever authentication tokens they have.
Basically, it seems like any URL which causes side effects, and which is
accessed via predictable syntax, is vulnerable to an attacker causing
requests that appear to come from a different person, regardless of any
authentication the script uses outside the URL parameters themselves.
  I had never heard of this either; it sounds like this class of
vulnerability is incredibly widespread.  I see from that other post that
it's called CSRF.  Just to be clear, the common solution is for _every_
web-accessible script that causes abusable side effects to read and
check a validation parameter (HMAC, session ID, or whatever) that won't
be forgable by an attacker (regardless of what access control it uses
outside the GET/POST parameters), right?

-- 
Andrew Moise <chops () demiurgestudios com>