Comments on: JSCK demo update

By: Gareth Heyes

Gareth Heyes — Sun, 28 Oct 2007 10:59:56 +0000

I’ve patched it now, your POC should no longer work.

By: Gareth Heyes

Gareth Heyes — Sun, 28 Oct 2007 10:47:29 +0000

Bill excellent POC! Very clever, I completely missed that sort of attack

By: Bill Zeller

Bill Zeller — Sun, 28 Oct 2007 05:55:10 +0000

Hi,

This doesn’t seem to protect against CSRF attacks, since any website (including an attacker’s site), can include the Javascript file that will add a correct token to the links on the page. For example, the following page illustrates a successful CSRF attack against your demo:
http://www.from.bz/test/jsck.php

The page includes the jsck Javascript file and then adds the following Javascript:

var oldOnload = window.onload;
window.onload = function()
{
oldOnload();
window.location = document.links[0].href;

}

Best Regards,
Bill Zeller

By: Gareth Heyes

Gareth Heyes — Tue, 23 Oct 2007 07:27:14 +0000

Thanks Sky I will fix the error

By: sky

sky — Tue, 23 Oct 2007 03:05:40 +0000

yeah,THE ie IS NOT TESTED,JS HAS ERROR!

By: Marco Ramilli

Marco Ramilli — Mon, 22 Oct 2007 16:31:05 +0000

Sure! It work correctly on my server too.
@Alex && @Gareth
the jQuery pulgin could be a big deal, really good idea.

By: Gareth Heyes

Gareth Heyes — Mon, 22 Oct 2007 12:21:25 +0000

*fixed*

It now seems to work correctly on my server.

By: Gareth Heyes

Gareth Heyes — Mon, 22 Oct 2007 11:42:52 +0000

Good idea Alex, I shall consider doing that when I’ve fixed the bugs and released the final version.

By: Alex@Net

Alex@Net — Mon, 22 Oct 2007 11:36:25 +0000

Hello,

Do you have in a plan to write a something like a jQuery plugin for this functionality? If would be great to just $(’myForm’).protect();

Thanks,
Alex

By: Gareth Heyes

Gareth Heyes — Mon, 22 Oct 2007 11:12:16 +0000

Looks like I release code a little too early, damn the tokens aren’t working correctly on my server.