Security Basics mailing list archives
ratproxy issues again
From: Andre Rodrigues <acastanheira2001 () yahoo com br>
Date: Fri, 12 Jun 2009 05:12:22 -0700 (PDT)
Hi folks, I´m back with a ratproxy issue. I´ve tested my app and it shows the following HIGH risks: 1- POST query with no XSRF protection - Parameter-accepting POST requests that lack security tokens. Some POST requests change application state, and may be vulnerable to cross-site request forgery attacks. 2- Bad caching header - Pages that set cookies or require authentication, but have HTTP headers that may, in some scenarios, lead to proxy-level document caching. Depending on runtime settings, this may also include subtle HTTP/1.1 and HTTP/1.0 intent mismatches (such as Cache-Control: private with no Expires header). I need to explain what are these risks and how to circumvent them to the IT guys. Any ideas apreciated. Thanks, André ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- ratproxy issues again Andre Rodrigues (Jun 12)