[funsec] Cross Site Request Forgery ?
Florian Weimer
fw at deneb.enyo.de
Sun Jan 8 10:03:15 CST 2006
* Gadi Evron:
> I haven't seen this discussed before, but that may just be me.
The problem has been known since 1997 at least, and has been described
in RFC 2109 (section 4.3.5). But browser vendors have ignored the
problem. Today, cross-site requests are at the heart of web-based
single-sign-on solutions, for example. There is no way that these
things are going to be fixed on the browser side, I'm afraid.
> Can anyone suggest how vulnerable nowadays pages probably
> are/aren't?
"Everything is vulnerable" is a reasonable approximation. Notable
exceptions are Serendipity (a blogging software, AFAIK they have made
some effort to fix it) and some German online banking sites (because
they require one-time passwords for all state-changing transactions).
The web application monoculture has its revenge, I'm afraid.
More information about the funsec
mailing list