On Wed, Feb 3, 2016 at 12:07 PM, Matt Prelude wrote:
> Hi,
>
> On 03/02/16 16:54, Dan Ackroyd wrote:
>
>> On 3 February 2016 at 09:03, Davey Shafik wrote:
>>
>>> Hi all,
>>>
>>> It's actually very difficult to be able to reliably determine that you
>>> are
>>> running the _real_ PHP runtime and
On Mon, Feb 8, 2016 at 10:54 AM, Lester Caine wrote:
> On 08/02/16 15:42, Pierre Joye wrote:
> >> I want to propose a new PHP array method, called has_numeric_keys (or
> >> > something similar/better), that would have the following method
> signature:
> >> >
> >> > bool has_numeric_keys(array $ar
On Mon, Feb 8, 2016 at 9:32 AM, Matthew Setter wrote:
> I want to propose a new PHP array method, called has_numeric_keys (or
> something similar/better), that would have the following method signature:
>
> bool has_numeric_keys(array $array)
>
> The reason for it is to check if the array passed
On Mon, Feb 8, 2016 at 11:38 AM, Rowan Collins
wrote:
> Kinn Julião wrote on 08/02/2016 16:05:
>
>> That's the nice thing about userland... you are giving them ability to
>> implement what they want!
>> `array_filter([...], 'is_int', ARRAY_FILTER_USE_KEY)`
On Mon, Feb 8, 2016 at 12:53 PM, Larry Garfield
wrote:
> On 2/8/16 11:46 AM, Kinn Julião wrote:
>
>> On Mon, Feb 8, 2016 at 11:38 AM, Rowan Collins
>> wrote:
>>
>> Kinn Julião wrote on 08/02/2016 16:05:
>>>
>>> That's the nice t
> JS code that does not have pages at all may obtain CSRF token manually.
That's against CSRF protection... in fact, a remote app can obtain the
token also and make the cross site request forgery...
-1
On Tue, May 10, 2016 at 9:17 PM, Yasuo Ohgaki wrote:
> Hi Stas,
>
> On Wed, May 11, 2016 at
You seemed to misunderstood your own "get_csrf_token.php" and how attackers
would benefit from that.
Anyway, you're trying to transfer an application behaviour to the core...
Stick to -1.
On May 10, 2016 10:18 PM, "Yasuo Ohgaki" wrote:
> Hi Kinn,
>
> On W
The point with your example is:
The cross site can request the "get_csrf_token.php", store on its session
(even curl can save the session id cookie or whatever), get the token and
request the endpoint with the retrieved token and session id.
Got it?
On May 10, 2016 10:53 PM, "Kinn
You're making confusion between CSRF and Session Hijacking... In any moment
I mentioned about hijacking someone else's session, but to still being able
to CSRF (Cross Site Request Forgery).
Any other remote source would still be able to use your "example".
"A is using your own site's contact form
end, this RFC improves nothing as mentioned above.
On May 11, 2016 8:16 AM, "Rowan Collins" wrote:
> On 11/05/2016 12:36, Kinn Julião wrote:
>
>> You're making confusion between CSRF and Session Hijacking... In any
>> moment
>> I mentioned about hijacking someon
And again, I'm bashing against/based in his poor example for asynchronous
requests...
On May 11, 2016 8:22 AM, "Kinn Julião" wrote:
> > CSRF is not related to spam or rate limiting, it is related to
> impersonation. A spam bot can simply repeatedly request new HTML fo
016 13:22, Kinn Julião wrote:
>
>> CSRF is not related to spam or rate limiting, it is related to
>>>
>> impersonation. A spam bot can simply repeatedly request new HTML forms
>> and scrape out the hidden input.
>>
>> The Spam bot was just an example, conte
12 matches
Mail list logo