The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 18, 2019, 07:00:41 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: CSRF - thought about how to protect yourself  (Read 3567 times)
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« on: February 03, 2008, 08:51:37 AM »

OK CSRF is getting used a bit more, and I am trying to figure out how I can protect myself. The problem is when you go from 1 site to another, when you are still logged into the prior site. is there a firefox plugin that will open a new tab each time you click a link that is not on the same site as you are currently on, as well as putting each tab into its own process so that sessions are not accessible from each tab?

right now, when you use firefox, tabs all can play together, since they are like named windows, just like using the Target attribute in an HREF. That means you could log into a site like gmail on 1 tab, and the other site in another tab can do evil things to your gmail. If each tab was instead limited to talking to other tabs that have the same domain name, that would solve that problem. The other issue would be that the session is still active when you continue on your way to new sites. A solution to that would be to force new domains into new tabs, and have that tab security working.

anyone know if there is a plugin that can help with something likethis?
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: February 03, 2008, 10:59:08 AM »

Cripes I hadn't even known about CSRF till you posted this ... a quick lookup and a bit of a think leaves me a little concerned... particularly knowing some of the folks that you and I hang out with...  ROFLMAO

The problem is similar to the exploits we've considered with XRPC - it relies on a fundamental piece of HTML that is obscured only by intention, not footprint. That's actually pretty creepy man and I have no idea immediately. Thankds for the heads up and I'll give it some slices as well.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #2 on: February 03, 2008, 11:27:55 AM »

lol. didnt know you were unaware... hmmm what can i do here.... lol

its a bit.... um.... terrifying.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #3 on: February 03, 2008, 12:07:08 PM »

::pulls pants back up::

Awrightawright I'm on it now  ROFLMAO
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
dink
Expert
****
Offline Offline

Posts: 349


View Profile
« Reply #4 on: February 04, 2008, 01:54:46 AM »

I never fail to be amazed at what I'll find here.  LIke Perk, I never heard of CSRF before.  Now I'm worried. 

You probably already have read this, but just in case.....
http://www.owasp.org/index.php/PHP_CSRF_Guard   (PHP CSRF Guard)

I suppose the only real answer is to take down all your websites and sell your computer.

**now what was it that I came here to read??
Logged

[quote Nutballs]
the universe has a giant fist, and its got enough whoop ass for everyone.
[/quote]
JasonD
Expert
****
Offline Offline

Posts: 100


View Profile
« Reply #5 on: February 04, 2008, 07:30:47 AM »

csrf is a good thing
Logged
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #6 on: February 04, 2008, 07:38:52 AM »

::Realizes JasonD knows where I browse and likes CSRF. Pisses self::
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!