PS-- Have you managed to get hired in an actual security position yet or are you running around San Francisco begging for scraps from our tables? <br><br>PPS-- Namedropping the head of a project you plagiarized from in your cover letter is not good policy. Especially in this industry. Its a smaller world than most, and now you're fucking blackballed buddy. You'll work as desktop support at FOX forever.
<br><br><div class="gmail_quote">On Dec 12, 2007 12:01 PM, Andrew A <<a href="mailto:gluttony@gmail.com">gluttony@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Actually, the suggested prevention tactic is to create a post variable in your form of type "hidden" with a securely generated one-time ticket that an attacker would not be able to scrape without performing an xmlhttp call, therefore signalling a (real) security problem with the app in question. Requiring the user to re-input their login credentials for every database write would be absolutely ridiculous from both a design and security perspective.
<br><br>But then again, you must know all this with your extensive experience in web app security and development.<div><div></div><div class="Wj3C7c"><br><br><div class="gmail_quote">On Dec 12, 2007 9:31 AM, Kristian Erik Hermansen <
<a href="mailto:kristian.hermansen@gmail.com" target="_blank">
kristian.hermansen@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>On Dec 12, 2007 3:20 AM,
<a href="mailto:ad@heapoverflow.com" target="_blank">ad@heapoverflow.com</a> <<a href="mailto:ad@heapoverflow.com" target="_blank">ad@heapoverflow.com</a>> wrote:<br>> -----BEGIN PGP SIGNED MESSAGE-----<br>> Hash: SHA1
<br>><br>> ridiculous advisories are generating ridiculous replies that's well
<br>> known and you figured it out.<br><br></div>The data is all there. So, the trick is how to utilize CSRF to<br>influence a large number of users to make requests which disrupt,<br>taint, or modify their accounts on popular services. In the example,
<br>I point the favicon.ico object as a 301 redirect to a GMail URI.<br>Since the favicon.ico object, for some reason, influences the account<br>even without revisiting the website again, the GMail account is again<br>influenced any time you click a tab. It is an interesting finding,
<br>and not one that I have heard ever publicly stated. Correct me if I<br>am wrong here, but why would the favicon.ico object be requested every<br>time you merely click on a tab? And does this only happen in FF, or<br>
IE as well? What other browser's exhibit this behavior and/or is it<br>supposed to be this way?<br><br>However, in addition to all this, CSRF is getting to be more<br>dangerous. Major sites are not protecting against a wide range of
<br>attacks. The suggested prevention tactic is to ask for a password<br>upon any account modifications. However, this does not always seem to<br>be implemented. Too, many requests can cause distress to a user which<br>
do not necessarily modify their accounts. For instance, it is<br>possible to taint the credibility of a remote user as well. Say you<br>could inject searches on Youtube for 'kiddie porn', or make Google<br>requests for 'how to murder your wife'. All of these are possible
<br>attacks, frightening, and how would they be prevented? This is<br>becoming a large issue, and why I wrote up the PoC for the specific<br>Google / GMail case. It is possible that these type of attacks could<br>perhaps be used to incriminate someone in court based on secondary
<br>evidence, if they were suspected of say, murdering their wife. The<br>user's search history on Google have been subpoenaed before, and<br>injecting requests into someone's search history is frightening and<br>
definitely needs to be addressed, don't you think? The worst part<br>about all of this is that there doesn't seem to be a viable solution<br>at the moment, which is why everyone should start thinking about the<br>
problems now. There are some great papers which describe a few<br>methods, but one demonstrating the implications is still missing...<br><div>--<br>Kristian Erik Hermansen<br>"I have no special talent. I am only passionately curious."
<br><br>_______________________________________________<br></div><div><div></div><div>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></div></div></blockquote></div><br>
</div></div></blockquote></div><br>