On Oct 6, 2006, at 4:33 PM, Chris Shiflett wrote:
Until July of this year, checking the Referer was thought to be a
pretty
good safeguard against CSRF, because an attacker would have to cause a
victim to send the right Referer, which isn't so easy.
Unfortunately, Amit Klein published some re
Jonathan Vanasco wrote:
> can't a lot of this be locked down with http referrers?
Until July of this year, checking the Referer was thought to be a pretty
good safeguard against CSRF, because an attacker would have to cause a
victim to send the right Referer, which isn't so easy.
Unfortunately, A
Clinton Gormley wrote:
> Really good article, Chris:
> http://shiflett.org/articles/security-corner-dec2004
>
> I really like the solution of using tokens.
Thanks! :-)
It's worth noting that this safeguard is rendered ineffective if you
have XSS vulnerabilities, thanks to Ajax. Malicious JavaScr
Clinton Gormley wrote:
> 3) Instead of serving the image, the server at www.malicious-site.com
> issues a 302 HTTP Status code which redirects Joe Bloggs to
> http://my.website.com/change_password?new_password=abcde
>
> So his password gets changed, because this is coming from a live
> session, th
On Oct 6, 2006, at 4:04 PM, Ben K. wrote:
What will be needed to make it work with mod_perl2? Are there
alternatives?
Chances are the people who were using AuthCAS are no longer
maintaining it.
So you might have to adopt it. Shouldn't take more than a few hours
at most.
Read these 4
Hi,
I've sent questions to the author of the module, and to the cas list as
well, but wanted to try getting an answer if possible from this list as
well.
It seems Apache::AuthCAS cannot be used with mod_perl2 as is. It worked up
to mod_perl 1.99 according to the pm file, but it seems develo
On Oct 6, 2006, at 1:04 PM, [EMAIL PROTECTED] wrote:
1) Joe Bloggs logs into my website and has an active session.
2) Clicks on a link (either from an email or from content posted
on my
site) to http://www.malicious-site.com/index.html
3) That index page contains an tag
3) Instead of servin
On Fri, 2006-10-06 at 18:48 +0200, Hendrik Van Belleghem wrote:
> "mock" talked about XSS at this years YAPC::Europe in Birmingham a few
> weeks ago. He had quite a few examples. His slides are at
> http://sketchfactory.com/static/mvc.pdf (More Vulnerable Code).
> It goes without saying that it wou
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Oct 06, 2006 at 05:14:47PM +0200, Clinton Gormley wrote:
> > Users:
[...]
> > OK, now call me names :-)
> >
>
> Neither of these options will work. Consider this scenario.
>
> 1) Joe Bloggs logs into my website and has an active session.
>
"mock" talked about XSS at this years YAPC::Europe in Birmingham a few
weeks ago. He had quite a few examples. His slides are at
http://sketchfactory.com/static/mvc.pdf (More Vulnerable Code).
It goes without saying that it would be a bit unwise to test the URLs
mentioned in the talk.
my 2 cents
On Oct 6, 2006, at 11:35 AM, Tom Schindl wrote:
See this:
http://www.stonehenge.com/merlyn/LinuxMag/col77.html
http://www.webmonkey.com/webmonkey/98/38/index2a_page8.html?
tw=programming
Also look at the archives of last month for this thread:
Subject:Logging to a f
On Oct 6, 2006, at 10:35 AM, Clinton Gormley wrote:
I'm testing my current site for XSS vulnerabilities, and I came across
this one on:
http://ha.ckers.org/xss.html
well, not MP related but
if you let users embed flash / etc in profile pages, make sure you
strip object tags -- just use th
> That's part of it, but it's not a complete solution.
>
> That particular attack vector is called CSRF, cross-site request
> forgeries. RSnake's XSS cheatsheet demonstrates using XSS on your own
> site to launch the attack, but it can also be launched from any other
> web site where your users v
See this:
http://www.stonehenge.com/merlyn/LinuxMag/col77.html
http://www.webmonkey.com/webmonkey/98/38/index2a_page8.html?tw=programming
Tom
Anthony Gardner schrieb:
> Can s.o point me in the right direction (links or advice) about the best
> way to use a DB to record accesses to Apache?
>
> C
Can s.o point me in the right direction (links or advice) about the best way to use a DB to record accesses to Apache?Can records be added to a DB at the time of the request or is the only way to filter the access_log and then whack them into a db?CIA-Ants
Yahoo! Messenger
NEW - crystal clear
> Users:
> * switch off Javascript (and any other active content)
> * avoid pages unusable without active content
>
> Developers:
> * always offer working alternatives to active content (page
> must be usable with no JS, no Java, no Flash (I won't talk
> about other client-side monst
Clinton Gormley wrote:
> How would you avoid this? Only take parameters from the
> POST data?
That's part of it, but it's not a complete solution.
That particular attack vector is called CSRF, cross-site request
forgeries. RSnake's XSS cheatsheet demonstrates using XSS on your own
site to launch
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Oct 06, 2006 at 04:35:22PM +0200, Clinton Gormley wrote:
> I'm testing my current site for XSS vulnerabilities, and I came across
> this one on:
>
> http://ha.ckers.org/xss.html
[...]
> Now this is an interesting one... How would you avoid th
I'm testing my current site for XSS vulnerabilities, and I came across
this one on:
http://ha.ckers.org/xss.html
IMG Embedded commands part II - this is more scary because there are
absolutely no identifiers that make it look suspicious other than it is
not hosted on
19 matches
Mail list logo