Hi Josh,
Are these precautions are sufficient to prevent the CSRF attack that
you described?
Hi Yonatan,
Turning off client side scripting will go a long way in securing your
browser, but is it a realistic approach for securing a "regular" user's
PC? From my experience, about 80% of the web applications that I audit
are vulnerable to either XSS or CSRF, which means that even if you
use the NoScript Firefox plugin to allow only client side script
execution from "acceptable" web sites, you will be either severely
limiting the web sites available or allowing potentially dangerous code
to run on your browser. In either case I don't this this is the correct
approach for "regular" users. In my experience there are just too many
web apps that do not function properly under Firefox and MSIE under
wine, to expect my grandmother to put up with. Perhaps a better solution
for a school with a limited budget would be to run their web browsing
boxen under vmware and have the machine revert to a known clean snapshot
everyday. This does not solve most CSRF issues, though it would get rid
of any unwanted material downloaded that day. CSRF attacks are a server
side issue, you could solve them by removing client side scripting, but
again that is not an acceptable solution for most users (and does not
address HTML based attacks).
--
- Josh
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
