Vulnerability Development mailing list archives
Re: "tinyurl" url masking
From: Lincoln Yeoh <lyeoh () pop jaring my>
Date: Tue, 13 Sep 2005 21:27:40 +0800
Which shows that Gmail (which I use to write this email) is badly designed, logout should be used via a POST only...
Well I prefer to use url/form "signing" for certain actions in some of my webapps.
Fake example: http://somewhere.null/webapp?do=transfer&src=1234&dst=5678&amt=5551&sig=ac36d415b9fc2ffb68171185ef2bd7daWhere sig could be a crypto hash of: the parameters, the session cookie/id value (making replay harder) and a site secret. You could even add a salt if you want, or do more sophisticated stuff.
Of course, for high impact actions, you'd get a confirmation page - clicking yes submits the necessary confirmation keys/signatures to match some of the parameters sent.
In Gmail's defense, not protecting logout isn't so bad (you might disagree if you just composed a long message and haven't saved or sent it and somehow got logged out ;) ).
I think that it would be easier to fix the issue in the browser, to have browsers not use cookies over a redirect? (thinking only at session related scenarios)
That would break a fair number of things, or make things fairly inconvenient. HTTP 302 redirects are a very common tool for webapps.
Many sites have the target page of a login form redirect to a subsequent page. This is to prevent a browser refresh from rePOSTing the credentials. Otherwise if you don't close the browser (yes I know ;) ), someone could click the browser back button till the page just after the login form, click refresh, and the browser will repost the login form values.
Regards, Link.
Current thread:
- "tinyurl" url masking Lincoln Yeoh (Sep 12)
- Re: "tinyurl" url masking Laurian Gridinoc (Sep 13)
- Re: "tinyurl" url masking Lincoln Yeoh (Sep 13)
- Re: "tinyurl" url masking Laurian Gridinoc (Sep 13)