Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Discussions (General)
 "Preventing CSRF and XSRF Attacks"		  New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

MarcelG
Retired Support Moderator

Netherlands
2625 Posts
Posted - 16 October 2008 :  04:04:38  Show Profile  Visit MarcelG's Homepage  Reply with Quote
I just read this post on Coding Horror ;
http://www.codinghorror.com/blog/archives/001175.html

It refers to a couple of big and popular websites who have weaknesses in terms of XSRF and CSRF attacks, and it also suggests a path to solving those weaknesses.
I'm not sure if I understand it right, but I think that also the Snitz basecode may be subject to these kind of attacks, especially since a lot of Snitz sites keep adding for instance the video mod and other 'embedding' mods.

Does anyone in the Dev team have a good idea about whether or not the Snitz basecode is affected by these weaknesses, and how these weaknesses could be fixed?<
portfolio - linkshrinker - oxle - twitter

HuwR
Forum Admin

United Kingdom
20584 Posts
Posted - 16 October 2008 :  07:26:41  Show Profile  Visit HuwR's Homepage  Reply with Quote
that is why the base code insists that users log on so often, something that annooys the hell out of most people, but it ensures that nobody can tamper with your profile. or the admin functions.

admittedly they could post topics/repliesusing this method, but since we filter out any malicious looking code all they could do was post a non harmful message, they only thing to do to prevent that would be to force you to login every time you posted, something that would probably cause a riot <
Go to Top of Page

MarcelG
Retired Support Moderator

Netherlands
2625 Posts
Posted - 16 October 2008 :  08:52:01  Show Profile  Visit MarcelG's Homepage  Reply with Quote
Ah, so the antispam-add on I made (and I think you also implemented something like that here) with the hidden form in the post.asp page, and the check for the value of that form in post_info.asp is already preventing these types of attacks?<
portfolio - linkshrinker - oxle - twitter
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts
Posted - 16 October 2008 :  12:11:21  Show Profile  Visit HuwR's Homepage  Reply with Quote
we don't have anything like that on post.asp, like I said there is nothing to stop them posting message here if they have stolen your cookie<
Go to Top of Page

AnonJr
Moderator

United States
5768 Posts
Posted - 21 October 2008 :  12:16:19  Show Profile  Visit AnonJr's Homepage  Reply with Quote
Just FYI, Steve Gibson talks about CSRF in the latest "Security Now" netcast.

http://www.twit.tv/sn166

I've been listening to this netcast for a long time and I highly recommend adding it to your regular listening. It certainly makes the commute that much better. <
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.12 seconds. Powered By: Snitz Forums 2000 Version 3.4.07