Comments on: CSRF chat http://www.thespanner.co.uk/2008/02/11/csrf-chat/ Javascript blog with messed up syntax inside Thu, 26 Jan 2012 01:38:34 +0000 hourly 1 By: aşk-ı memnu http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1422 aşk-ı memnu Tue, 20 Jan 2009 22:49:22 +0000 http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1422 Thank you. good document. i add u favoritesites.. Thank you. good document. i add u favoritesites..

]]> By: Forex http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1348 Forex Sun, 02 Nov 2008 09:59:14 +0000 http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1348 Thanks you. i look this ;) Thanks you. i look this ;)

]]> By: yakup http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1343 yakup Mon, 27 Oct 2008 23:49:23 +0000 http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1343 Positive comment. thanks you. Positive comment. thanks you.

]]> By: blog http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1219 blog Fri, 09 May 2008 11:39:18 +0000 http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1219 thanks you.. john :-) thanks you.. john :-)

]]> By: Gareth Heyes http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1130 Gareth Heyes Tue, 12 Feb 2008 10:10:42 +0000 http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1130 The account has been deleted now, I can't be bothered setting up another one. I may change the POC to allow multiple chatrooms or if anyone wants to take the code and improve it then please do. The account has been deleted now, I can’t be bothered setting up another one. I may change the POC to allow multiple chatrooms or if anyone wants to take the code and improve it then please do.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1129 Gareth Heyes Mon, 11 Feb 2008 19:13:35 +0000 http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1129 btw I'm not saying tokens themselves are useless but in this instance they are. To defend against this type of attack a simple framebreaker would help. btw I’m not saying tokens themselves are useless but in this instance they are. To defend against this type of attack a simple framebreaker would help.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1128 Gareth Heyes Mon, 11 Feb 2008 19:01:16 +0000 http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1128 @chris The only requirement is central storage of data. This could be Wordpress blog, GMail account, delicious account, flickr account etc. You must also be able to read that data externally, in this case I used the delicious JSON functionality. Delicious contains a form token to prevent posting of new urls to an account, however I simply bypass this by asking the user to confirm the post. @chris

The only requirement is central storage of data. This could be WordPress blog, GMail account, delicious account, flickr account etc. You must also be able to read that data externally, in this case I used the delicious JSON functionality.

Delicious contains a form token to prevent posting of new urls to an account, however I simply bypass this by asking the user to confirm the post.

]]> By: Chris Shiflett http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1127 Chris Shiflett Mon, 11 Feb 2008 18:48:21 +0000 http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1127 Very creative. :-) For my own clarification, and perhaps that of others, this technique requires the ability to manipulate the page, correct? An anti-CSRF token should be pretty strong unless there are lurking XSS problems, which I think we all agree is easier said than done. It's nice to be clear about where the risk lies. Thanks! Very creative. :-)

For my own clarification, and perhaps that of others, this technique requires the ability to manipulate the page, correct?

An anti-CSRF token should be pretty strong unless there are lurking XSS problems, which I think we all agree is easier said than done. It’s nice to be clear about where the risk lies.

Thanks!

]]> By: Gareth Heyes http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1126 Gareth Heyes Mon, 11 Feb 2008 14:07:37 +0000 http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1126 Thanks John yeah you're right but it's all in the name of fun :) Thanks John yeah you’re right but it’s all in the name of fun :)

]]> By: John Ther http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1125 John Ther Mon, 11 Feb 2008 14:06:17 +0000 http://www.thespanner.co.uk/2008/02/11/csrf-chat/#comment-1125 Good stuff Gareth, good CSS Overlay demonstration. Although it's matter of time someone to change password and settings and other stuff for xsschat from delicious :) Good stuff Gareth, good CSS Overlay demonstration. Although it’s matter of time someone to change password and settings and other stuff for xsschat from delicious :)

]]>