20070116

[XC]SRF FAQ

Link

CGI Security has released an FAQ on XSRF. Nothing that hasn't been said elsewhere, except that it originated in 1988 as a "Confused Deputy" problem. While it's mostly accurate, the XMLHttpRequest examples are misleading. Except for flaws in specific browser protection mechanisms, you can't do XMLHttpRequest across domains, but there's nothing on that sample that says that the fraudulent code would have to be on the same site, meaning the vulnerable site also has HTML Injection flaws.

The good news is, as incomplete as it is, their proposed solution seems to be the most popular one - request tokens.

0 comments: