 |
 |
|
nutballs
OK CSRF is getting used a bit more, and I am trying to figure out how I can protect myself. The problem is when you go from 1 site to another, when you are still logged into the prior site. is there a firefox plugin that will open a new tab each time you click a link that is not on the same site as you are currently on, as well as putting each tab into its own process so that sessions are not accessible from each tab?
right now, when you use firefox, tabs all can play together, since they are like named windows, just like using the Target attribute in an HREF. That means you could log into a site like gmail on 1 tab, and the other site in another tab can do evil things to your gmail. If each tab was instead limited to talking to other tabs that have the same domain name, that would solve that problem. The other issue would be that the session is still active when you continue on your way to new sites. A solution to that would be to force new domains into new tabs, and have that tab security working. anyone know if there is a plugin that can help with something likethis? perkiset
Cripes I hadn't even known about CSRF till you posted this ... a quick lookup and a bit of a think leaves me a little concerned... particularly knowing some of the folks that you and I hang out with...
 The problem is similar to the exploits we've considered with XRPC - it relies on a fundamental piece of HTML that is obscured only by intention, not footprint. That's actually pretty creepy man and I have no idea immediately. Thankds for the heads up and I'll give it some slices as well. nutballs
lol. didnt know you were unaware... hmmm what can i do here.... lol
its a bit.... um.... terrifying. perkiset
::pulls pants back up::
Awrightawright I'm on it now
dink
I never fail to be amazed at what I'll find here. LIke Perk, I never heard of CSRF before. Now I'm worried.
You probably already have read this, but just in case..... http://www.ow asp.org/index.php/PHP_CSRF_Guard (PHPCSRF Guard)I suppose the only real answer is to take down all your websites and sell your computer. **now what was it that I came here to read?? JasonD
csrf is a good thing
perkiset
::Realizes JasonD knows where I browse and likes CSRF. Pisses self::
|
Thread Categories
 |
|
Best of The Cache Home |
|
|
Search The Cache |
- Ajax
- Apache & mod_rewrite
- BlackHat SEO & Web Stuff
- C/++/#, Pascal etc.
- Database Stuff
- General & Non-Technical Discussion
- General programming, learning to code
- Javascript Discussions & Code
- Linux Related
- Mac, iPhone & OS-X Stuff
- Miscellaneous
- MS Windows Related
- PERL & Python Related
- PHP: Questions & Discussion
- PHP: Techniques, Classes & Examples
- Regular Expressions
- Uncategorized Threads