10 Mar
2010
10 Mar
'10
7:44 p.m.
Take a look at the "sammy is my hero" worm, myspace sent a hash to the user like
the one you propose,
the worm made the required get request to get the hash, then made the post along with the
hash.
What prevents javascript from opening the page with the hash in an iframe and then reading
in the iframe
to get the hash, then creating a form with the required data and posting it to the save
action?
If we were to combine a requirement for post requests with checking of the referrer
header, then we
would block links, forms and javascript based attacks leaving only an attack through older
versions
of flash which support referrer forgery and at this point the difficulty of the attack
becomes such that
we need to consider a wider array of attack vectors.
Caleb
Alex Busenius wrote:
Unfortunately, using POST requests instead of GET
requests is not
enough. It will not prevent attacks that use forms and/or JavaScript to
generate POST requests.
Alex
On 03/09/2010 02:48 PM, Caleb James DeLisle wrote:
I had thought about proposing this myself but
decided against it because it seems
to me like a workaround for problems which can be solved in other ways.
Suppose we were to add a check to the actions which alter data which made sure the
request method
was 'post' and made it configurable in one of the configuration files? We would
have
to look over the default skins for incorrect links and leave the configuration
option off by default for backward compatibility at least until the next major version
but we could provide wiki operators the ability to prevent CSRF.
Caleb
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs