WebApp Sec mailing list archives
Re: FW: blocking CSRF attacks
From: "Amit Klein" <aksecurity () gmail com>
Date: Thu, 20 Dec 2007 13:18:20 +0200
On Dec 19, 2007 9:26 PM, Paul Johnston <paj () pajhome org uk> wrote: [...]
In a CSRF attack the victim's browser is making the request, so the attacker does not get free control of the referer header. Sure, using this as a security control is not perfect, but it does have some merit as a quick fix.
I beg to differ: "Forging HTTP request headers with Flash" http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html http://ha.ckers.org/blog/20060725/forging-http-request-headers-with-flash/ "HTTP Header Injection Vulnerabilities in the Flash Player Plugin" http://download2.rapid7.com/r7-0026/ "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more..." http://www.webappsec.org/lists/websecurity/archive/2005-09/msg00019.html -Amit ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- blocking CSRF attacks Pawan (Dec 12)
- Re: blocking CSRF attacks makkalot (Dec 14)
- Re: blocking CSRF attacks Jan Heisterkamp (Dec 14)
- Re: blocking CSRF attacks Sverre H. Huseby (Dec 15)
- Re: blocking CSRF attacks Paul Johnston (Dec 15)
- RE: blocking CSRF attacks Boaz Shunami (Dec 19)
- <Possible follow-ups>
- Re: blocking CSRF attacks Daniel Weber (Dec 14)
- Re: FW: blocking CSRF attacks Paul Johnston (Dec 19)
- Re: FW: blocking CSRF attacks Martin Johns (Dec 22)
- Re: FW: blocking CSRF attacks Amit Klein (Dec 22)
- RE: FW: blocking CSRF attacks Boaz Shunami (Dec 22)