Re: CSRF (Was: XSS evasion)

2006-10-06 Thread Jonathan Vanasco
On Oct 6, 2006, at 4:33 PM, Chris Shiflett wrote: Until July of this year, checking the Referer was thought to be a pretty good safeguard against CSRF, because an attacker would have to cause a victim to send the right Referer, which isn't so easy. Unfortunately, Amit Klein published some re

CSRF (Was: XSS evasion)

2006-10-06 Thread Chris Shiflett
Jonathan Vanasco wrote: > can't a lot of this be locked down with http referrers? Until July of this year, checking the Referer was thought to be a pretty good safeguard against CSRF, because an attacker would have to cause a victim to send the right Referer, which isn't so easy. Unfortunately, A

CSRF (Was: XSS evasion)

2006-10-06 Thread Chris Shiflett
Clinton Gormley wrote: > Really good article, Chris: > http://shiflett.org/articles/security-corner-dec2004 > > I really like the solution of using tokens. Thanks! :-) It's worth noting that this safeguard is rendered ineffective if you have XSS vulnerabilities, thanks to Ajax. Malicious JavaScr

CSRF (Was: XSS evasion)

2006-10-06 Thread Chris Shiflett
Clinton Gormley wrote: > 3) Instead of serving the image, the server at www.malicious-site.com > issues a 302 HTTP Status code which redirects Joe Bloggs to > http://my.website.com/change_password?new_password=abcde > > So his password gets changed, because this is coming from a live > session, th

Re: Apache::AuthCAS

2006-10-06 Thread Jonathan Vanasco
On Oct 6, 2006, at 4:04 PM, Ben K. wrote: What will be needed to make it work with mod_perl2? Are there alternatives? Chances are the people who were using AuthCAS are no longer maintaining it. So you might have to adopt it. Shouldn't take more than a few hours at most. Read these 4

Apache::AuthCAS

2006-10-06 Thread Ben K.
Hi, I've sent questions to the author of the module, and to the cas list as well, but wanted to try getting an answer if possible from this list as well. It seems Apache::AuthCAS cannot be used with mod_perl2 as is. It worked up to mod_perl 1.99 according to the pm file, but it seems develo

Re: XSS evasion

2006-10-06 Thread Jonathan Vanasco
On Oct 6, 2006, at 1:04 PM, [EMAIL PROTECTED] wrote: 1) Joe Bloggs logs into my website and has an active session. 2) Clicks on a link (either from an email or from content posted on my site) to http://www.malicious-site.com/index.html 3) That index page contains an tag 3) Instead of servin

Re: Fwd: XSS evasion

2006-10-06 Thread Clinton Gormley
On Fri, 2006-10-06 at 18:48 +0200, Hendrik Van Belleghem wrote: > "mock" talked about XSS at this years YAPC::Europe in Birmingham a few > weeks ago. He had quite a few examples. His slides are at > http://sketchfactory.com/static/mvc.pdf (More Vulnerable Code). > It goes without saying that it wou

Re: XSS evasion

2006-10-06 Thread tomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Oct 06, 2006 at 05:14:47PM +0200, Clinton Gormley wrote: > > Users: [...] > > OK, now call me names :-) > > > > Neither of these options will work. Consider this scenario. > > 1) Joe Bloggs logs into my website and has an active session. >

Fwd: XSS evasion

2006-10-06 Thread Hendrik Van Belleghem
"mock" talked about XSS at this years YAPC::Europe in Birmingham a few weeks ago. He had quite a few examples. His slides are at http://sketchfactory.com/static/mvc.pdf (More Vulnerable Code). It goes without saying that it would be a bit unwise to test the URLs mentioned in the talk. my 2 cents

Re: Using a DB to record Apache's access_log

2006-10-06 Thread Jonathan Vanasco
On Oct 6, 2006, at 11:35 AM, Tom Schindl wrote: See this: http://www.stonehenge.com/merlyn/LinuxMag/col77.html http://www.webmonkey.com/webmonkey/98/38/index2a_page8.html? tw=programming Also look at the archives of last month for this thread: Subject:Logging to a f

Re: XSS evasion

2006-10-06 Thread Jonathan Vanasco
On Oct 6, 2006, at 10:35 AM, Clinton Gormley wrote: I'm testing my current site for XSS vulnerabilities, and I came across this one on: http://ha.ckers.org/xss.html well, not MP related but if you let users embed flash / etc in profile pages, make sure you strip object tags -- just use th

Re: XSS evasion

2006-10-06 Thread Clinton Gormley
> That's part of it, but it's not a complete solution. > > That particular attack vector is called CSRF, cross-site request > forgeries. RSnake's XSS cheatsheet demonstrates using XSS on your own > site to launch the attack, but it can also be launched from any other > web site where your users v

Re: Using a DB to record Apache's access_log

2006-10-06 Thread Tom Schindl
See this: http://www.stonehenge.com/merlyn/LinuxMag/col77.html http://www.webmonkey.com/webmonkey/98/38/index2a_page8.html?tw=programming Tom Anthony Gardner schrieb: > Can s.o point me in the right direction (links or advice) about the best > way to use a DB to record accesses to Apache? > > C

Using a DB to record Apache's access_log

2006-10-06 Thread Anthony Gardner
Can s.o point me in the right direction (links or advice) about the best way to use a DB to record accesses to Apache?Can records be added to a DB at the time of the request or is the only way to filter the access_log and then whack them into a db?CIA-Ants Yahoo! Messenger NEW - crystal clear

Re: XSS evasion

2006-10-06 Thread Clinton Gormley
> Users: > * switch off Javascript (and any other active content) > * avoid pages unusable without active content > > Developers: > * always offer working alternatives to active content (page > must be usable with no JS, no Java, no Flash (I won't talk > about other client-side monst

Re: XSS evasion

2006-10-06 Thread Chris Shiflett
Clinton Gormley wrote: > How would you avoid this? Only take parameters from the > POST data? That's part of it, but it's not a complete solution. That particular attack vector is called CSRF, cross-site request forgeries. RSnake's XSS cheatsheet demonstrates using XSS on your own site to launch

Re: XSS evasion

2006-10-06 Thread tomas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Oct 06, 2006 at 04:35:22PM +0200, Clinton Gormley wrote: > I'm testing my current site for XSS vulnerabilities, and I came across > this one on: > > http://ha.ckers.org/xss.html [...] > Now this is an interesting one... How would you avoid th

XSS evasion

2006-10-06 Thread Clinton Gormley
I'm testing my current site for XSS vulnerabilities, and I came across this one on: http://ha.ckers.org/xss.html IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on