[Owasp-board] SpoC 007 payments

Jeff Williams jeff.williams at owasp.org
Wed Jul 11 01:47:20 UTC 2007


Unfortunately, I don't see how this can stop either CSRF or XSS.  This is an
authentication and integrity solution.

 

 For it to work, the plugin must sign requests generated by IMG and IFRAME
tags - so they would be accepted by the server as properly signed requests
even if they came from malicious tags. Therefore CSRF is unaffected.  As for
XSS, the plugin doesn't restrict any posting, just signs it. So an XSS
attack would work just fine. Note that even XHR generated requests would
have to be signed in order for Ajax-based sites to work, so XSS payloads
should work fine.

 

--Jeff

 

From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: Tuesday, July 10, 2007 8:50 PM
To: 'Dinis Cruz'; 'OWASP Board'
Cc: 'Paulo Coimbra'
Subject: Re: [Owasp-board] SpoC 007 payments

 

Ask Paulo to collect the paypal addresses for each SpoC participant and the
person's e-mail address and country they work in and send that all to me. I
then have to directly collect additional information from anyone who is in
the U.S.

 

-Dave

 

p.s. By the way? Would this feature prevent CSRF attacks? What about XSS?

 

 

From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
Sent: Friday, July 06, 2007 6:09 AM
To: OWASP Board
Cc: Paulo Coimbra
Subject: [Owasp-board] SpoC 007 payments

 

Dave,

What is your preferred workflow for the SpoC payments. 

Paulo Coimbra is now on the case, so let him know what should be done, how
and when.

To test this system, lets try with the 1st 50% payment for the guy working
on the EnigForm:
http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Buanzo
_-_Enigform:_Firefox_Addon_for_OpenPGP_signing_of_HTTP_requests 

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070710/22ee39bb/attachment-0002.html>


More information about the Owasp-board mailing list