WebApp Sec mailing list archives
Re: IE cookie menagment and CSRF
From: Finite <wiretapped () gmail com>
Date: Sun, 22 Aug 2004 14:18:37 -0700
On Sat, 21 Aug 2004 22:10:10 +0200, lazy <lazy () gwsh gda pl> wrote:
So if this schema is widly used it is a flaw in web page if it accept important data as GET requests
Actions executed by GET requests just need to verify the referrer as well as the session cookie. Some users (mostly running opera) have disabled the sending of referrers, so if you want to accommodate them you'll need to use POSTs. Trusting GET requests without checking referrers is a recipe for disaster; google for friendster or orkut and "xss" to read stories about how to write shoddy web apps.
Current thread:
- IE cookie menagment and CSRF lazy (Aug 20)
- Re: IE cookie menagment and CSRF Saqib . N . Ali (Aug 21)
- Re: IE cookie menagment and CSRF lazy (Aug 21)
- Re: IE cookie menagment and CSRF Saqib . N . Ali (Aug 22)
- Re: IE cookie menagment and CSRF lazy (Aug 21)
- Message not available
- Re: IE cookie menagment and CSRF lazy (Aug 22)
- Re: IE cookie menagment and CSRF Finite (Aug 22)
- Re: IE cookie menagment and CSRF lazy (Aug 22)
- Re: IE cookie menagment and CSRF Saqib . N . Ali (Aug 21)