How to combat modern crappy websites?

• Next message (by thread): How to combat modern crappy websites?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2016-04-30 16:02, Timo Juhani Lindfors wrote:
> Security tip: the chat seems to be vulnerable to CSRF attacks so any
> website can trick your browser into sending chat messages in your name
> (or "in your IP address").

Yes it does, this is a proof of concept, don't use it as is.
Nonetheless, I thank you in general for reporting any findings of the  
sort.

IP adressed are not a good identifier anyway. On most occasions where I  
showed the program, the participants shared the same address. You would  
also expect the program to be save against accidental resubmission of  
the same message, so submission IDs would be a good idea. If you want  
to use this for anything productive, there should also be a surge  
protection.

Since the demo uses no authenticated sessions to protect, I've  
implemented a referer check. More reliable checks should be used in an  
environment wich maintains a real user session to track. This would  
exceed the scope of this demo.

BTW, this makes good further reading:
https://www.owasp.org/index.php/OWASP_Top_Ten_Project

-- 
Paul Hänsch                     █▉            Webmaster, System-Hacker
                               █▉█▉█▉
Jabber: paul at jabber.fsfe.org    ▉▉     Free Software Foundation Europe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20160501/433da577/attachment.sig>

• Next message (by thread): How to combat modern crappy websites?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]