CookieSafe, NoScript and the protection Opera has
against CSRF - this is a big mess.
NoScript might
save you from some POST malicious requests.
CookieSafe is similar to the Opera protection but
did not work in my Iceweasel, only in Firefox it
seemed to work.
The Opera "Only send cookies to the site I visit"
(which is named badly because what it does is
different) on the other hand protects you from
embedded images doing CSRF, but not from a CSRF
by submitting a form (by hand or JS).
So all these things to different things to protect
you. We would need *all* three. Opera even says
browser vendors are not responsible at all (I
submitted a bug report), web developers are. But
at the same time doing a "lightweight" protection.
So as long as even browser vendors are not sure
what is necessary to avoid CSRF the only thing
left is make your webapps save and as a customer
just be careful...
Well, I know that only a kind of token can protect
you from CSRF. But checking for POST can make it
harder because now Javascript has to be involved
or at least clicking on a submit button by hand.
As I have Javascript turned off on all unknown
pages the chance for CSRF is much lower (for
sites that check for POST). yes, again, that
should not be the only protection...
The problem is that this attack is difficult to
understand, and most web developers are happy
that they managed to understand how to avoid SQLI and XSS. But CSRF has to be mentioned, so spread the word.
for example i wrote a benchmark script for our website because i wanted to know how our code changes perform. fortunately (or unfortunately) this tool got more popular, and i had to add more features, but didn't really have the working time, so the new features were added quick and dirty. the script became unmaintainable. oh well =) that shows that you can do something really useful if you get the time for it from your boss. i have fun writing such tools because it's always like a little project where you do a technical concept and implement it yourself. you can write it quick and dirty but also have the chance to try out new tools, modules.
Slashdot Mirror
CookieSafe, NoScript and the protection Opera has against CSRF - this is a big mess.
NoScript might save you from some POST malicious requests.
CookieSafe is similar to the Opera protection but did not work in my Iceweasel, only in Firefox it seemed to work.
The Opera "Only send cookies to the site I visit" (which is named badly because what it does is different) on the other hand protects you from embedded images doing CSRF, but not from a CSRF by submitting a form (by hand or JS).
So all these things to different things to protect you. We would need *all* three. Opera even says browser vendors are not responsible at all (I submitted a bug report), web developers are. But at the same time doing a "lightweight" protection.
So as long as even browser vendors are not sure what is necessary to avoid CSRF the only thing left is make your webapps save and as a customer just be careful...
Well, I know that only a kind of token can protect you from CSRF. But checking for POST can make it harder because now Javascript has to be involved or at least clicking on a submit button by hand. As I have Javascript turned off on all unknown pages the chance for CSRF is much lower (for sites that check for POST). yes, again, that should not be the only protection... The problem is that this attack is difficult to understand, and most web developers are happy that they managed to understand how to avoid SQLI and XSS. But CSRF has to be mentioned, so spread the word.
for example i wrote a benchmark script for our website because i wanted to know how our code changes
perform. fortunately (or unfortunately) this tool got more popular, and i had to add more features,
but didn't really have the working time, so the new features were added quick and dirty. the script became
unmaintainable. oh well =)
that shows that you can do something really useful if you get the time for it from your boss.
i have fun writing such tools because it's always like a little project where you do a technical concept
and implement it yourself. you can write it quick and dirty but also have the chance to try out
new tools, modules.