Bugtraq mailing list archives
Re: "ClientSideTrojan" bug
From: aclover () 1VALUE COM (Clover Andrew)
Date: Mon, 15 May 2000 10:25:51 +0200
David L. Nicol <david () KASEY UMKC EDU> suggested:
partial possible solutions to this problem are: 1: issue a one-time password in reponse to any request that will effect a change of any sort, and require return of the one-time password
Many web sites in effect already do something like this. A transaction ID is issued in a hidden control with any non- idempotent (POST-style) form. To succeed, the submitted form must ionclude a valid transaction ID. On submission, the transaction ID is deleted in the database. This is done to avoid multiple submissions of the same form, but could also prevent malicious usage. The trick is to tie the transaction ID to the authenticated user, so that one cannot gain a transaction ID as one user and direct another user to use it. By tying the request data to the authentication data, a malicious third party cannot exploit the latter to perform the former. -- Andrew Clover Technical Support 1VALUE.com AG
Current thread:
- Re: "ClientSideTrojan" bug Matthew J.Francis (May 11)
- <Possible follow-ups>
- Re: "ClientSideTrojan" bug Clover Andrew (May 15)