[Owasp-leaders] Protecting Django apps from CSRF

Gregory Disney gregory.disney at owasp.org
Thu May 16 16:44:45 UTC 2013


 javascript:document.cookie="csrf_token=ID"; cookieValue =
decodeURIComponent(document.cookie.substring(name.lenght + 1)); crsftoken =
document.cookie;
ifrm = document.createElement("IFRAME");
ifrm.setAttribute("src", "http://google.com/");
ifrm.style.width = 640+"px";
ifrm.style.height = 480+"px";
cookieValue = encodeURIComponent(document.cookie.link(ifrm));
document.body.appendChild(ifrm);
self = '_top';
target = '_top';

now with iframe attack


On Thu, May 16, 2013 at 12:06 PM, Gregory Disney
<gregory.disney at owasp.org>wrote:

> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Issue with jQuery is it is
> simple to override by net console;
> javascript:document.cookie="csrf_token=ID"; cookieValue =
> decodeURIComponent(document.cookie.substring(name.lenght + 1)); crsftoken =
> document.cookie; -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13
> (GNU/Linux)
> iQEcBAEBAgAGBQJRlQP+AAoJEHJ6fv5JwWqhQZUH/jNY8aJmDYAdrel4L3GLi/mc
> Q/NA5CuV/gLvQDk4XWZdQtYjny4tNJw9mVRB58ABqShEhx+it1gzHc9DboJIZhVw
> XXwFTQ+SgJrGPH3ipbcVomBfw1Gy1XK1M6tu32zhVcnX4CMC/ABrxK/PrnaErOKk
> fGY+rq8Mq0hmaBtLs1Gc6I0UvX/DLfwsuibcxmpfLjkGm5rQ+zjmCmgsI6PWITUg
> PDSMOayxDj4TnsWNsbzdeZWW/AE67sA7ba887ruqy8exbFfM5M5LwRq9S8rw1x1A
> peF5DpuZ1QUmHcN1yrCLQqgP9PqY1KRoVCGn5Iuu3uEOws4ymggclrgR4WmaQ9I= =qhFq
> -----END PGP SIGNATURE-----
>
>
> On Thu, May 16, 2013 at 11:53 AM, Matt Tesauro <matt.tesauro at owasp.org>wrote:
>
>> While I'm up to my ears with Python at Rackspace & with OpenStack, I've
>> not used Django for any of the code I've written recently - or actually
>> ever.
>>
>> I'm got an  app which is basically using the Django CSRF protection as
>> outlined here:
>> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
>> for both "normal" web forms as well as AJAX calls.
>>
>> I'm curious about anyone's experience with the Django CSRF protection,
>> how well it works and any "gotchas", weakness or other issues with Django's
>> CSRF protection.
>>
>> List or direct replies appreciated.
>>
>> Thanks in advance.
>>
>> --
>> -- Matt Tesauro
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>> OWASP OpenStack Security Project Lead
>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130516/3317f7e9/attachment.html>


More information about the OWASP-Leaders mailing list