CSRF Redirector
at 2007-08-12 15:10:18
Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.
To use it, construct a URL of the form http://shiflett.org/csrf.php?csrf=URL&NAME=VALUE, where URL is the (URL-encoded) target site, and NAME and VALUE represent a name-value pair, of which there can be zero or more.
For example, the following IFrame exploits the Amazon vulnerability:
<iframe src="http://
Lessons from the LAMP generation - tilllate.com
at 2007-08-12 15:10:17
Last night we were treated to Silvan and Stefans whirlwind history of tilllate.com, delivered to a packed webtuesday - thanks to search.ch for hosting and apologies to those that got stuck out in the corridor - a search for bigger meeting spaces is in progress.
The talk - described here translates (loosely) to “tilllate.com: From 0.1 to 30 Servers”;
With 100 million pageviews and 1 million visitors a month, tilllate.com is one of the biggest web platforms in Switzerland. The site currently comprises 60′000 lines of code and 430 database tables, served by a cluster of over 30 servers. Software and infrastructure is the responsibilit
Race Conditions, AJAX and Sessions
at 2007-08-12 15:10:17
Via Jeff’s bookmarks, Race Conditions with Ajax and PHP Sessions by Andy “thwarted” Bakun is an outstanding anaylsis of a problem that’s come up before on this blog here.
In fact the title is almost misleading - the first half looks at “parallel processing” in Javascript with some valuable insight - i.e. you want to read this even if you’re not using PHP.
The second half explores building a custom PHP session handler (PHP’s default session handler does not suffer from race conditions but can become problematic the moment you start handling serious traffic), leading up to a very cunning strategy that allows y
Rise of the Robots
at 2007-08-12 15:10:17
Quick factual / historical note regarding Anonymizing RFI Attacks Through Google which Stefan and Ilia both referenced today.
As far as I know the notion of “programming” legitimate 3rd-party web spiders to attack other sites was first raised back in 2001 by Michal Zalewski (also wikipedia) in Against the System: Rise of the Robots.
Not that I’m hunting hacker-cred - ran into it via his book Silence on the Wire (which is a great read BTW - ever thought about how those J
2007: The Year of OpenID (?)
at 2007-08-12 15:10:17
A late but Happy New Year - recent silence related to starting new job at local.ch - more on that another time.
So let’s call this one the Year of OpenID - or at least the part up to March. OpenID is starting to gain traction as a solution to some (not all) online authentication problems.
While some good resources are starting to show up explaining how OpenID works, there’s a tendency towards either “here’s how to add to your blog - don’t ask difficult questions” or significant assumed knowledge. So it’s nice if you have someone around who can explain it directly, which is what happened last webtuesday, Cédric’s providing an
|