| |||||||||||||
Cross-site request forgeryCross-site request forgeryPosted Oct 18, 2007 3:01 UTC (Thu) by jwb (guest, #15467)In reply to: Cross-site request forgery by elanthis Parent article: Cross-site request forgery
I agree that you need further measures to protect against malicious webmasters, but they are a small part of the problem. The larger part of the problem is that anybody can put <img src="whatever"> into a forum post (including this one) which causes a simple GET request. If your application has side effects on GET requests, then it is vulnerable to this very simple attack.
(Log in to post comments)
Cross-site request forgery Posted Oct 18, 2007 3:04 UTC (Thu) by jwb (guest, #15467) [Link] It should be noted that certain forum software is rather more permissive about the sorts of things which can be posted by anonymous users, while other software can be very restrictive.
Cross-site request forgery Posted Oct 18, 2007 3:19 UTC (Thu) by tetromino (subscriber, #33846) [Link] You forgot to add a <marquee>.
Cross-site request forgery Posted Oct 18, 2007 5:27 UTC (Thu) by mitchskin (subscriber, #32405) [Link] lol, the medium is indeed the message.
Cross-site request forgery Posted Oct 18, 2007 7:32 UTC (Thu) by Los__D (guest, #15263) [Link] MY EYES, MY EYES!!! :D
Cross-site request forgery Posted Oct 25, 2007 18:07 UTC (Thu) by devinjones (guest, #11272) [Link] Thank goodness for firebug.
|
|||||||||||||