<div dir="ltr"><div><span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;white-space:pre-wrap">
javascript:document.cookie="csrf_token=ID";
cookieValue = decodeURIComponent(document.cookie.substring(name.lenght + 1));
crsftoken = document.cookie;</span><span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap"><br></span></div><span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap">ifrm = document.createElement("IFRAME");</span><br>
<img src="https://app.yesware.com/t/4f849991fa724ed3e683a4a2c4d0d0be24163526/86c946555b990d9af018040ee74bbfee/spacer.gif" style="border: 0px; width: 1px; height: 1px;"><img src="http://app.yesware.com/t/4f849991fa724ed3e683a4a2c4d0d0be24163526/86c946555b990d9af018040ee74bbfee/spacer.gif" style="border: 0px; width: 1px; height: 1px;"><span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap">ifrm.setAttribute("src", "<a href="http://google.com/">http://google.com/</a>");</span><font face="yw-4f849991fa724ed3e683a4a2c4d0d0be24163526-86c946555b990d9af018040ee74bbfee--to"></font><div>
<span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap">ifrm.style.width = 640+"px";</span><span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap"><br>
</span></div><div><span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap">ifrm.style.height = 480+"px";</span><span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap"><br>
</span></div><div><span style="color:rgb(0,0,0);font-family:'Times New Roman';font-size:medium;white-space:pre-wrap">cookieValue = encodeURIComponent(document.cookie.link(ifrm));</span><span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap"><br>
</span></div><div style><span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap">d</span><span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap">ocument.body.appendChild(ifrm);</span></div>
<div style><span style="color:rgb(0,0,0);font-family:'dejavu sans mono',monospace;font-size:11px;white-space:pre-wrap">self = '_top';</span></div><div style><font color="#000000" face="dejavu sans mono, monospace"><span style="font-size:11px;white-space:pre-wrap">target = '_top';</span></font></div>
<div style><font color="#000000" face="dejavu sans mono, monospace"><span style="font-size:11px;white-space:pre-wrap"><br></span></font></div><div style><font color="#000000" face="dejavu sans mono, monospace"><span style="font-size:11px;white-space:pre-wrap">now with iframe attack</span></font></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, May 16, 2013 at 12:06 PM, Gregory Disney <span dir="ltr"><<a href="mailto:gregory.disney@owasp.org" target="_blank">gregory.disney@owasp.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Issue with jQuery is it is simple to override by net console;
javascript:document.cookie="csrf_token=ID";
cookieValue = decodeURIComponent(document.cookie.substring(name.lenght + 1));
crsftoken = document.cookie;

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQEcBAEBAgAGBQJRlQP+AAoJEHJ6fv5JwWqhQZUH/jNY8aJmDYAdrel4L3GLi/mc
Q/NA5CuV/gLvQDk4XWZdQtYjny4tNJw9mVRB58ABqShEhx+it1gzHc9DboJIZhVw
XXwFTQ+SgJrGPH3ipbcVomBfw1Gy1XK1M6tu32zhVcnX4CMC/ABrxK/PrnaErOKk
fGY+rq8Mq0hmaBtLs1Gc6I0UvX/DLfwsuibcxmpfLjkGm5rQ+zjmCmgsI6PWITUg
PDSMOayxDj4TnsWNsbzdeZWW/AE67sA7ba887ruqy8exbFfM5M5LwRq9S8rw1x1A
peF5DpuZ1QUmHcN1yrCLQqgP9PqY1KRoVCGn5Iuu3uEOws4ymggclrgR4WmaQ9I=
=qhFq
-----END PGP SIGNATURE-----
</div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div class="h5">On Thu, May 16, 2013 at 11:53 AM, Matt Tesauro <span dir="ltr"><<a href="mailto:matt.tesauro@owasp.org" target="_blank">matt.tesauro@owasp.org</a>></span> wrote:<br>

</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div>While I'm up to my ears with Python at Rackspace & with OpenStack, I've not used Django for any of the code I've written recently - or actually ever.</div>

<div><br></div><div>
I'm got an  app which is basically using the Django CSRF protection as outlined here:</div><div><a href="https://docs.djangoproject.com/en/dev/ref/contrib/csrf/" target="_blank">https://docs.djangoproject.com/en/dev/ref/contrib/csrf/</a><br>


</div><div>for both "normal" web forms as well as AJAX calls.</div><div><br></div><div>I'm curious about anyone's experience with the Django CSRF protection, how well it works and any "gotchas", weakness or other issues with Django's CSRF protection.</div>


<div><br></div><div>List or direct replies appreciated.</div><div><br></div><div>Thanks in advance.</div><br clear="all"><div>--<br>-- Matt Tesauro<br>OWASP WTE Project Lead<br><a href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project" target="_blank">http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project</a><br>


<a href="http://AppSecLive.org" target="_blank">http://AppSecLive.org</a> - Community and Download site<div>OWASP OpenStack Security Project Lead<div><a href="https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project" target="_blank">https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project</a></div>


</div></div>
</div>
<br></div></div>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div>