PEAK XOOPS - Re: under the topic of against CSRF ... (2) 
TOP
>
Forum
>
Comments
>
News comment
>
Re: under the topic of against CSRF ... (2)
>
Re: under the topic of against CSRF ... (2)
Re: under the topic of against CSRF ... (2)
| Target | News |
| Subject | CSRF対策という名のもとに…2 |
| Summary | 昨日はPHP全般の話題でしたが、今回はXOOPSだけの話。それも、XOOPSだけに実装されていると思われる、簡易CSRF対策についてです。さすがにこれについては、情報も共有されているので今さら説明するまでもないのですが、DBレイヤーにおいて、POSTかつRefererが内部でなけれ... |
Re: under the topic of against CSRF ... (2)
msg# 1.1
- depth:
- 1
GIJOE
Posts: 4110
Posts: 4110
hi Skalpa.
Quote:It's quite natural.
XSS + CSRF combination attack is the most powerful one.
If the form has XSS, neither referer check nor ticket make any sense.
But there are many users "referer off" in the world.
Thus, I insist
- referer check off
- ticket check (with feature of repost) on
Of course, XSS/ScriptInsertion can't be allowed.
Anyway, this english topic is much shorter than my original topic in Japanese.
Though I know I have to translate whole of my opinion into English...
Quote:
don't forget CSRF starts with the assumption that Javascript code can be inserted
XSS + CSRF combination attack is the most powerful one.
If the form has XSS, neither referer check nor ticket make any sense.
But there are many users "referer off" in the world.
Thus, I insist
- referer check off
- ticket check (with feature of repost) on
Of course, XSS/ScriptInsertion can't be allowed.
Anyway, this english topic is much shorter than my original topic in Japanese.
Though I know I have to translate whole of my opinion into English...
Votes:1
Average:0.00
Posts tree
-
Re: under the topic of against CSRF ... (2)
(skalpa, 2006/6/1 8:38)
-
Re: under the topic of against CSRF ... (2)
(GIJOE, 2006/6/2 6:48)
-
Login