This is a discussion on Re: CSRF (Was: XSS evasion) - modperl ; On Oct 6, 2006, at 4:33 PM, Chris Shiflett wrote: > Jonathan Vanasco wrote: >> can't a lot of this be locked down with http referrers? > > Until July of this year, checking the Referer was thought to be ...
On Oct 6, 2006, at 4:33 PM, Chris Shiflett wrote:
> Jonathan Vanasco wrote:
>> can't a lot of this be locked down with http referrers?
> Until July of this year, checking the Referer was thought to be a
> good safeguard against CSRF, because an attacker would have to cause a
> victim to send the right Referer, which isn't so easy.
> Unfortunately, Amit Klein published some research in July that
> demonstrated how to do this with Flash. So, if your users use clients
> that support Flash (which most do), this is not a good safeguard.
That's rather annoying.
The steps to lock down a domain are f*ing difficult.
I don't think its even entirely possible now... If a browser has
On all my projects , I've moved flash communications to their own
namespace to avoid *some* referrer forging, and I've locked down all
account / write pages to necessitate a http referrer from my site.
I say *some* in regards to flash, because a swf can still do a
loadMovie against a domain without crossdomain.xml constraints.
Beyond that though, anything that I can think of really just makes
things more inconvenient for 'hackers'. considering what flash and
regex/requests/everything happening silent behind-the-scenes-- there
are just so many new 'vulnerabilities'
i'm not even sure that these really are vulnerabilities though...
if a user gets a spam, clicks on the link, that link loads some site
in russia / china / czech republic that has a js file or flash file
that is used to fake refferrers, make requests, and basically be a
web spider using their session info -- all behind the scenes -- is
that necessarily a vulnerability in my website, or one in the browsers ?
I'm not sure on that.
What I am sure of, is that it took me all of 30 minutes to
'reasonably' lock down my websites under mod perl. thats damn fast.