[ OWASP - Montréal ]XSFR/CSFR testing difficulty level

Philippe Gamache philippe at gamache.com
Fri Nov 28 09:36:39 EST 2008


Sean Coates wrote:
> Please explain. ?
>
I know, but some very important actions  (like delete) should always ask 
for a confirmation.  Because with JS, you can still get the normal form 
within a iframe, and get the token, then do the attack.

And now, with clickjacking, you still can bypass the confirmation. 

So, you need all the protections available:
 - Token
 - Referer
 - Confirmation

Many of them can be bypass, but it's more difficult without a direct attack.

So the only true real protection is : Logout when changing site, si you 
are an admin, and all datas use versionning, so you can come back if 
there where a problem.  Versionning will not protect from SQL injection, 
but if the DELETE command ain't accessible from the SQL user for the 
apps, it's will help.
> There's a certain balance between "secure enough" and "driving my 
> users crazy" (-:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: philippe.vcf
Type: text/x-vcard
Size: 131 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081128/7aada87c/attachment.vcf 


More information about the Owasp-montreal mailing list