TikiRobot!, Mai Tais and Blinky Lights, Ahoy!

Ownz0red by an img tag :(

posted by rajbot on October 22nd, 2006

Here is an interesting MeFi thread about Cross Site Request Forgery. It was taking a while for my brain to grok the attack until I came to this comment, in which poster embedded an image that pointed to a GET Web API instead of actually linking to a jpeg (CSRF link since removed). Everyone who read that comment while logged in had that comment marked as a favorite, since their browser happily called the GET url and passed their login information via cookie.

My first thought was that this would be an easy attack to avoid, but it’s crazy scary, unless maybe your web app doesn’t use cookies. Just switching to POST isn’t good enough.

Filed under: support · 1 Comment

No comments yet. Be the first.

Twittering

Commenting

shag on Rollicking robots: Here are some red hot rollicking robots in uncensored action. This stuff is everywhere now…
Joel on postcard from nipika (canada): What an amazing shot! I’m a huge fan of Nipika’s when I need an escape, you...
Timothy on Neck Stretches for a Happy Life: I am a 20 year old singer in NY. THANK YOU. these stretches rock. i was sooo tense
rajbot on Bflat Buddha Machine: Thanks Peter! noiZe vieW is wonderful! I’m happy that you were inspired to make all these...
Peter Heß on Bflat Buddha Machine: Thanks for making the Buddha machine. Today I released a derivative work of your machine to...
shag on Books: http://www.thenation .com/article/164766/ peoples-library-occu py-wall-street-lives
shag on Books: http://peopleslibrar y.wordpress.com/2011 /11/23/packed-press- conference-documents -ruins-of-over-3000- books/
may on Zara at the Archive: whoa, zara is sporting some grey hairs. you guys are definitely overworking her
shag on Books: “The NYPD seized the People’s Library again [the evening of the 17th].“
rajbot on Zara at the Archive: woof!
rajbot on Books: http://peopleslibrar y.wordpress.com/2011 /11/16/update-state- of-seized-library-it ems/
rajbot on Books: Last night the tronix crew huddled around the livestream and watched the NYPD and DSNY toss the entire...
shag on Option USB HSDPA modem, Orange Internet, and Debian Linux: Got the USB modem back again, but this time the SIM was...
may on Apple T-shirts and Memories: also I like the lime green one :D
may on Apple T-shirts and Memories: wow, that’s a lot of tshirts. I think the only geek tshirt I’ve kept is an old...
Mr Angry on Empirical entomology: Nice – are you sure it was not a biodegradable bag made from starch or similar –...
may on Old-Timey Web Fonts: ooh this is really neat. this is quite possibly the nicest web font browser I’ve seen!
may on The most ridiculous mountain biking video ever: that looks fun! (except for the parts that run along steep rocky drop...

Ownz0red by an img tag :(

No comments yet. Be the first.

Leave a reply

Commenting

Pineapple Peeps

Tags

Archives