WebApp Sec mailing list archives
Re: FW: blocking CSRF attacks
From: "Martin Johns" <martin.johns () gmail com>
Date: Thu, 20 Dec 2007 10:03:35 +0100
On 12/19/07, Paul Johnston <paj () pajhome org uk> wrote:
In may be possible for an attacker to avoid the referer header being sent - if they use <meta http-equiv="refresh" ...> but I have not experimented with this, and it would only do this for GET requests.
There are several reliable methods to suppress the referrer which work both for GET and POST. E.g., in IE and FF it is sufficient to dynamically create an empty IFrame and filling it with an HTML form which is targeted to the victimised site. As the IFrame wasn't assigned an source URL, the created HTTP request that is initiated by submitting the form does not contain a referrer header. It also is still possible to *somewhat* spoof the referrer in an CSRF attack scenario using Flash: https://www.flashsec.org/wiki/Arbitrary_HTTP_Requests -- Martin -- Martin Johns http://www.informatik.uni-hamburg.de/SVS/personnel/martin/index.php ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- blocking CSRF attacks Pawan (Dec 12)
- Re: blocking CSRF attacks makkalot (Dec 14)
- Re: blocking CSRF attacks Jan Heisterkamp (Dec 14)
- Re: blocking CSRF attacks Sverre H. Huseby (Dec 15)
- Re: blocking CSRF attacks Paul Johnston (Dec 15)
- RE: blocking CSRF attacks Boaz Shunami (Dec 19)
- <Possible follow-ups>
- Re: blocking CSRF attacks Daniel Weber (Dec 14)
- Re: FW: blocking CSRF attacks Paul Johnston (Dec 19)
- Re: FW: blocking CSRF attacks Martin Johns (Dec 22)
- Re: FW: blocking CSRF attacks Amit Klein (Dec 22)
- RE: FW: blocking CSRF attacks Boaz Shunami (Dec 22)