Am 01.10.2008 um 12:20 schrieb Aristotle Pagaltzis:
* Moritz Onken <[EMAIL PROTECTED]> [2008-10-01 09:25]:
The best way is to include a random string which has to be
stored somewhere for comparison on the server side.
Doesn’t have to be stored. Send a random string as well as a HMAC
digest of a server secret plus the same string. To check a token,
check if the random string plus server secret hash to the same
digest as the one provided by the client. Since the server secret
is not known or knowable to third parties, if the digest checks
out, then this token must have been minted by the server. Very
simple; near-zero CPU overhead; no server-side storage required.
Hi,
but this does still rely on the fact that there is no XSS issue
on your page, doesn't it?
I imagine a case where the attacker's site opens a iframe to your
site which exploits a XSS issue and can send the hole form
information back to the attacker's site. He has now the HMAC and
the random string.
cheers,
moritz
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
