|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Hanno Böck (hanno
hboeck.de)
Date: Wed Dec 10 2008 - 17:42:59 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am Mittwoch 10 Dezember 2008 schrieb s.gottschalldd-wrt.com:
> in fact. just a plain POST to a authenticated dd-wrt session. without
> beeing logged in locally it would not have any effect
That's exactly the problem, as this POST can be triggered from a third-party
webpage via javascript.
You are familiar with Cross Site Request Forgery attacks? Wikipedia gives some
good introduction:
http://en.wikipedia.org/wiki/CSRF
All forms in web applications doing changes that require authentication need
some extra protection to prevent CSRF. Usually this is done by some random
token that may be created out of a random session value stored on the
application site combined with an id of the form. This has to be checked
before any action is executed.
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: hannohboeck.de
http://www.jukss.de/ Jugemdumweltkongress, 27.12.-4.1.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEABECAAYFAklAVAMACgkQr2QksT29OyCdEACeIk/TOGySA+gImzHxe9iuDfqN
z9MAoJl1Kh3hYKtL82TNUbGlTZvprVGu
=M4L+
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]