Continuing from my previous post I have decided to provide demos of a lot of the techniques discussed. These techniques won’t make your site 100% secure but they will help reduce the risk of attack. Remember you need to protect against XSS and these techniques will not stop your site from being attacked with XSS.
I created the following techniques whilst investigating OpenID security and I found many sites do not even employ a form token for site requests. The code is currently being developed but I hope it provides a good base for improving the security of your site.
Comments 3
Source code to be released soon, any volunteers to test and improve it before release?
Posted 23 Aug 2007 at 11:08 am ¶Works fine in firefox 2.0.0.6. Looking good overall.
I guess the javascript token is created inside the server and stored in the user session?
Posted 29 Aug 2007 at 9:13 am ¶Hi Alexander
Yeah the server generates a PHP token based on the same code the client generates using javascript. The source code is available for the Javascript/PHP generation if you want to look how it works
http://www.thespanner.co.uk/2007/08/15/random-javascript-and-php-generation/
Posted 29 Aug 2007 at 9:25 am ¶Post a Comment