Full Disclosure mailing list archives

Re: Full-Disclosure Digest, Vol 34, Issue 31

From: "Kristian Erik Hermansen" <kristian.hermansen () gmail com>
Date: Wed, 12 Dec 2007 23:41:57 -0800

On Dec 12, 2007 9:01 PM,  "Andrew A" <gluttony () gmail com> wrote:

Actually, the suggested prevention tactic is to create a post variable in
your form of type "hidden" with a securely generated one-time ticket that an
attacker would not be able to scrape without performing an xmlhttp call,
therefore signalling a (real) security problem with the app in question.
Requiring the user to re-input their login credentials for every database
write would be absolutely ridiculous from both a design and security
perspective.

But then again, you must know all this with your extensive experience in web
app security and development.


Yeah dude, we would call that a nonce.  Your definition is fine too though...
-- 
Kristian Erik Hermansen
"I have no special talent. I am only passionately curious."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Full-Disclosure Digest, Vol 34, Issue 31 Kristian Erik Hermansen (Dec 12)
- <Possible follow-ups>
- Re: Full-Disclosure Digest, Vol 34, Issue 31 Kristian Erik Hermansen (Dec 13)
  - Re: Full-Disclosure Digest, Vol 34, Issue 31 Andrew A (Dec 13)