ratproxy issues again

[Andre Rodrigues <acastanheira2001 () yahoo com br>]

Hi folks,

I´m back with a ratproxy issue.

I´ve tested my app and it shows the following HIGH risks: 

1- POST query with no XSRF protection - Parameter-accepting POST requests that lack security tokens. Some POST requests 
change application state, and may be vulnerable to cross-site request forgery attacks. 


2- Bad caching header - Pages that set cookies or require authentication, but have HTTP headers that may, in some 
scenarios, lead to proxy-level document caching.
Depending on runtime settings, this may also include subtle HTTP/1.1 and HTTP/1.0 intent mismatches (such as 
Cache-Control: private with no Expires header). 


I need to explain what are these risks and how to circumvent them to the IT guys.  

Any ideas apreciated.

Thanks,
André





------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------