Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Discussions (General)
 "Preventing CSRF and XSRF Attacks"

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!
Before posting, make sure you have read this topic!

Screensize:
UserName:
Password:
Format Mode:
Format: BoldItalicizedUnderlineStrikethrough Align LeftCenteredAlign Right Horizontal Rule Insert HyperlinkInsert EmailInsert Image Insert CodeInsert QuoteInsert List
   
Message:

* HTML is OFF
* Forum Code is ON
Smilies
Smile [:)] Big Smile [:D] Cool [8D] Blush [:I]
Tongue [:P] Evil [):] Wink [;)] Clown [:o)]
Black Eye [B)] Eight Ball [8] Frown [:(] Shy [8)]
Shocked [:0] Angry [:(!] Dead [xx(] Sleepy [|)]
Kisses [:X] Approve [^] Disapprove [V] Question [?]

 
   

T O P I C    R E V I E W
MarcelG Posted - 16 October 2008 : 04:04:38
I just read this post on Coding Horror ;
http://www.codinghorror.com/blog/archives/001175.html

It refers to a couple of big and popular websites who have weaknesses in terms of XSRF and CSRF attacks, and it also suggests a path to solving those weaknesses.
I'm not sure if I understand it right, but I think that also the Snitz basecode may be subject to these kind of attacks, especially since a lot of Snitz sites keep adding for instance the video mod and other 'embedding' mods.

Does anyone in the Dev team have a good idea about whether or not the Snitz basecode is affected by these weaknesses, and how these weaknesses could be fixed?<
4   L A T E S T    R E P L I E S    (Newest First)
AnonJr Posted - 21 October 2008 : 12:16:19
Just FYI, Steve Gibson talks about CSRF in the latest "Security Now" netcast.

http://www.twit.tv/sn166

I've been listening to this netcast for a long time and I highly recommend adding it to your regular listening. It certainly makes the commute that much better. <
HuwR Posted - 16 October 2008 : 12:11:21
we don't have anything like that on post.asp, like I said there is nothing to stop them posting message here if they have stolen your cookie<
MarcelG Posted - 16 October 2008 : 08:52:01
Ah, so the antispam-add on I made (and I think you also implemented something like that here) with the hidden form in the post.asp page, and the check for the value of that form in post_info.asp is already preventing these types of attacks?<
HuwR Posted - 16 October 2008 : 07:26:41
that is why the base code insists that users log on so often, something that annooys the hell out of most people, but it ensures that nobody can tamper with your profile. or the admin functions.

admittedly they could post topics/repliesusing this method, but since we filter out any malicious looking code all they could do was post a non harmful message, they only thing to do to prevent that would be to force you to login every time you posted, something that would probably cause a riot <

Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.03 seconds. Powered By: Snitz Forums 2000 Version 3.4.07