On Oct 6, 2006, at 4:33 PM, Chris Shiflett wrote:
Jonathan Vanasco wrote:
can't a lot of this be locked down with http referrers?
Until July of this year, checking the Referer was thought to be a
pretty
good safeguard against CSRF, because an attacker would have to cause a
victim to send the right Referer, which isn't so easy.
Unfortunately, Amit Klein published some research in July that
demonstrated how to do this with Flash. So, if your users use clients
that support Flash (which most do), this is not a good safeguard.
That's rather annoying.
The steps to lock down a domain are f*ing difficult.
I don't think its even entirely possible now... If a browser has
javascript + async, they can fake the entire sessions.
On all my projects , I've moved flash communications to their own
namespace to avoid *some* referrer forging, and I've locked down all
account / write pages to necessitate a http referrer from my site.
I say *some* in regards to flash, because a swf can still do a
loadMovie against a domain without crossdomain.xml constraints.
Beyond that though, anything that I can think of really just makes
things more inconvenient for 'hackers'. considering what flash and
javascript can do now-- especially in regards to async/callbacks/
regex/requests/everything happening silent behind-the-scenes-- there
are just so many new 'vulnerabilities'
i'm not even sure that these really are vulnerabilities though...
if a user gets a spam, clicks on the link, that link loads some site
in russia / china / czech republic that has a js file or flash file
that is used to fake refferrers, make requests, and basically be a
web spider using their session info -- all behind the scenes -- is
that necessarily a vulnerability in my website, or one in the browsers ?
I'm not sure on that.
What I am sure of, is that it took me all of 30 minutes to
'reasonably' lock down my websites under mod perl. thats damn fast.
