Hello Chris, Upon your suggestion, I used a sniffer to sniff traffic for the web app that I am working on.
To my surprise, the data captured during the sniff for both browsers was exactly the same. Which mean my theory of limiting the <img/> TAG to .gif .jpeg .png is NOT true. So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Any ideas? Thanks. Saqib Ali http://validate.sf.net <<< XHTML/DocBook XML Validator and Transformer Chris Shiflett <[EMAIL PROTECTED]> No Phone Info Available 08/16/2004 11:55 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED], [EMAIL PROTECTED] cc [EMAIL PROTECTED], [EMAIL PROTECTED] Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: > I can't share the exact code ;) , but here is something very > similar: > > <img src="http://slashdot.org/my/logout"; height="1" width="1"> > > If I load a web page with the above code, it should log me out > of slashdot. It works in Mozilla (and netscape), but not in I.E. > 6.01 SP1 The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
