[ OWASP - Montréal ]XSFR/CSFR testing difficulty level
philippe at gamache.com
Fri Nov 28 09:36:39 EST 2008
Sean Coates wrote:
> Please explain. ?
I know, but some very important actions (like delete) should always ask
for a confirmation. Because with JS, you can still get the normal form
within a iframe, and get the token, then do the attack.
And now, with clickjacking, you still can bypass the confirmation.
So, you need all the protections available:
Many of them can be bypass, but it's more difficult without a direct attack.
So the only true real protection is : Logout when changing site, si you
are an admin, and all datas use versionning, so you can come back if
there where a problem. Versionning will not protect from SQL injection,
but if the DELETE command ain't accessible from the SQL user for the
apps, it's will help.
> There's a certain balance between "secure enough" and "driving my
> users crazy" (-:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 131 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-montreal/attachments/20081128/7aada87c/attachment.vcf
More information about the Owasp-montreal