How to combat modern crappy websites?

Paul Hänsch paul at
Sun May 1 13:02:20 UTC 2016

On 2016-04-30 16:02, Timo Juhani Lindfors wrote:
> Security tip: the chat seems to be vulnerable to CSRF attacks so any
> website can trick your browser into sending chat messages in your name
> (or "in your IP address").

Yes it does, this is a proof of concept, don't use it as is.
Nonetheless, I thank you in general for reporting any findings of the  

IP adressed are not a good identifier anyway. On most occasions where I  
showed the program, the participants shared the same address. You would  
also expect the program to be save against accidental resubmission of  
the same message, so submission IDs would be a good idea. If you want  
to use this for anything productive, there should also be a surge  

Since the demo uses no authenticated sessions to protect, I've  
implemented a referer check. More reliable checks should be used in an  
environment wich maintains a real user session to track. This would  
exceed the scope of this demo.

BTW, this makes good further reading:

Paul Hänsch                     █▉            Webmaster, System-Hacker
Jabber: paul at    ▉▉     Free Software Foundation Europe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <>

More information about the Discussion mailing list