On Oct 6, 2006, at 4:33 PM, Chris Shiflett wrote:

> Jonathan Vanasco wrote:
>> can't a lot of this be locked down with http referrers?

>
> Until July of this year, checking the Referer was thought to be a
> pretty
> good safeguard against CSRF, because an attacker would have to cause a
> victim to send the right Referer, which isn't so easy.
>
> Unfortunately, Amit Klein published some research in July that
> demonstrated how to do this with Flash. So, if your users use clients
> that support Flash (which most do), this is not a good safeguard.


That's rather annoying.

The steps to lock down a domain are f*ing difficult.

I don't think its even entirely possible now... If a browser has
javascript + async, they can fake the entire sessions.

On all my projects , I've moved flash communications to their own
namespace to avoid *some* referrer forging, and I've locked down all
account / write pages to necessitate a http referrer from my site.

I say *some* in regards to flash, because a swf can still do a
loadMovie against a domain without crossdomain.xml constraints.

Beyond that though, anything that I can think of really just makes
things more inconvenient for 'hackers'. considering what flash and
javascript can do now-- especially in regards to async/callbacks/
regex/requests/everything happening silent behind-the-scenes-- there
are just so many new 'vulnerabilities'

i'm not even sure that these really are vulnerabilities though...

if a user gets a spam, clicks on the link, that link loads some site
in russia / china / czech republic that has a js file or flash file
that is used to fake refferrers, make requests, and basically be a
web spider using their session info -- all behind the scenes -- is
that necessarily a vulnerability in my website, or one in the browsers ?

I'm not sure on that.

What I am sure of, is that it took me all of 30 minutes to
'reasonably' lock down my websites under mod perl. thats damn fast.