Something to understand is that "action" pages are not the only pages that can be exploited or part of an exploit.
________________________________ From: Gerry Gurevich <gerry.gurev...@gmail.com> To: discussion@acfug.org Sent: Thursday, December 18, 2008 8:39:21 AM Subject: Re: [ACFUG Discuss] Cross Site Forgery Question Thanks for the info Shawn. We've got someone looking at your solution. I just realized that I hadn't posted the link to the solution that we were looking at in my original post. here it is: http://www.12robots.com/index.cfm/2008/8/25/Request-Forgeries-and-ColdFusion--Security-Series-9 I assume you are doing something similar. FWIW, I'm looking into this for a colleague and what he is telling me is that the security goons are scanning his site and labeling it vulnerable even though the pages that they are hitting with this vulnerability are not action pages. Doesn't seem like a real problem in that case to me. On Wed, Dec 17, 2008 at 4:08 PM, shawn gorrell <chees...@yahoo.com> wrote: > There are ways to do it for forms and urls. In fact, I have a fully baked > implementation of a mitigation in my Tardis framework. The approach is > simple, have each page request a token (nonce) from a security component and > add it as a hidden to your form, or append it to any url inside your app and > then check on the next request to make sure that the token was passed, and > that it has never been used before. This also prevents double-submits. Let > me know if you'd like a go-to for the code... > > ________________________________ > From: Gerry Gurevich <gerry.gurev...@gmail.com> > To: discussion@acfug.org > Sent: Wednesday, December 17, 2008 3:59:50 PM > Subject: [ACFUG Discuss] Cross Site Forgery Question > > Sorry, I posted to the wrong list initially. Here is my question for > the discussion list: > > > I've been asked to investigate this by someone at my company. They > found this link as a CF solution. Do you all have any thoughts or > opinions on the value of this approach? It seems to only work for > form submit actions. What would you do if you had a link to an > action page? How would you mitigate against this type of attack? > > Your thoughts are appreciated. > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?fa=login.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by FusionLink > ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------