Web Application Security Forum - CSRF and Session Info Q and A on cross site request forgeries and breaking into sessions. Its one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... http://sla.ckers.org/forum/list.php?4 Wed, 22 May 2013 21:59:10 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?4,51751,51751#msg-51751 CSRF prevention - AJAX, CORS (3 replies) http://sla.ckers.org/forum/read.php?4,51751,51751#msg-51751
In this scenario the client and server are on different domains. The client uses AJAX to communicate with the server's API with the use of CORS.

My initial idea was this:

1. client sends request to server for token (give me a token!)
2. server checks origin (do we trust the client?)
3. replies with token if origin is trusted (yea, ok, send him a token)
4. client sends *real* (user initiated) request with token (add a user and here is my token)
5. server checks token and origin (is the token valid? is the client trusted?)

However, it seems to add no protection for CSRF if the origin header was removed. However, if we remove the token from the above and only rely on the origin header, this has been known to have issues too (https://docs.djangoproject.com/en/1.2/releases/1.2.5/#csrf-exception-for-ajax-requests).

How would you prevent CSRF in this situation?

Thanks,
Ryan]]> ethicalhack3r CSRF and Session Info Fri, 17 May 2013 15:28:28 -0500 http://sla.ckers.org/forum/read.php?4,51075,51075#msg-51075 Explain CSRF (5 replies) http://sla.ckers.org/forum/read.php?4,51075,51075#msg-51075
I searched about CSRF attack,I watched many tutorial video ( all of them like each other).I can't understand the CSRF.
please guide me about CSRF.]]> mpour CSRF and Session Info Mon, 24 Sep 2012 09:06:13 -0500 http://sla.ckers.org/forum/read.php?4,42525,42525#msg-42525 formamil.pl javascript alert tag plus html alert tag within javascript tag (1 reply) http://sla.ckers.org/forum/read.php?4,42525,42525#msg-42525
http://apo rre alo s.com/cgi-sys/formmail.pl?recipient=martin@aporrealos.com&subject=1&redirect=javascript:alert%28123%29;alert%28document.write.value=%3Ch1%3EHello%20%3C/h1%3E%29;

notice URL encoding...

the original formmail javascript injection was

http://apo rr ealo s.com/cgi-sys/formmail.pl?recipient=martin@aporrealos.com&subject=1&redirect=javascript:alert(123);alert(document.write.value=<h1>Hello</h1>);

I used this in Firefox version 7,,,,, When i copied it here the message board system automatically encoded the tags and parenthesis.

after i injected the code i got a 302 error that looked like this:

Found

The document has moved here.
Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_fcgid/2.3.6 Phusion_Passenger/3.0.9 mod_bwlimited/1.4 Server at aporrealos.com Port 80

123 alert box popped up and later a Hello alert boxed popped up]]> johndoe CSRF and Session Info Mon, 06 Feb 2012 13:51:16 -0600 http://sla.ckers.org/forum/read.php?4,42461,42461#msg-42461 sslstrip why it works for me and not for gmail and rest? (3 replies) http://sla.ckers.org/forum/read.php?4,42461,42461#msg-42461
Does it means their ssl is secure and mine is not? Like the rogue ssl cert generated by sslstrip is caught and blocked by their ssl cert security and mine is like configured in a insecure mode?

WHAT i need to do to prevent my site from such attacks.Thanks]]> lazer CSRF and Session Info Wed, 25 Jan 2012 13:05:41 -0600 http://sla.ckers.org/forum/read.php?4,42181,42181#msg-42181 Twitter oauth tokens now what? (2 replies) http://sla.ckers.org/forum/read.php?4,42181,42181#msg-42181
so i have all this information.... now what?
cam i use it to get on there twitter accounts?]]> RonPaul CSRF and Session Info Thu, 19 Jan 2012 17:14:00 -0600 http://sla.ckers.org/forum/read.php?4,40243,40243#msg-40243 CSRF tokens (1 reply) http://sla.ckers.org/forum/read.php?4,40243,40243#msg-40243
I know to get rid of CSRF attack we have use the CSRF tokens, but not sure about the internal working of this. What I mean is where does these tokens get created and how the transfermatrion happens from client to server and when these are validated like that.

Can some one explain how the CSRF token implemenation works with pictorial represenation.


Thanks and Regards,
Srinivas]]> securitysrinivas CSRF and Session Info Tue, 03 Jan 2012 03:27:18 -0600 http://sla.ckers.org/forum/read.php?4,36926,36926#msg-36926 iframe form pushing (3 replies) http://sla.ckers.org/forum/read.php?4,36926,36926#msg-36926
After creating an iframe in jscript via the dom, how can I create a form to POST from and submit it? I'm just unsure on how to call the submit in the iframe, from jscript inside the iframe.]]> Kyran CSRF and Session Info Tue, 29 May 2012 10:12:51 -0500 http://sla.ckers.org/forum/read.php?4,36682,36682#msg-36682 How bypass CSRF protections (4 replies) http://sla.ckers.org/forum/read.php?4,36682,36682#msg-36682
How I can bypass CSRF protections without XSS bug.
I know about, session fixation and hijacking that through them I can to bypass the Token protection.

Any ideas?]]> the_master CSRF and Session Info Wed, 06 Jul 2011 15:16:08 -0500 http://sla.ckers.org/forum/read.php?4,36203,36203#msg-36203 forging subdomain referer headers (10 replies) http://sla.ckers.org/forum/read.php?4,36203,36203#msg-36203
I've found a site, let's call it asd.example.com where requests are blocked if the Referer header doesn't start with https://asd.example.com . However, I have XSS on anothersubdomain.example.com

Even a modern-ish flash-based solution would be better than nothing. asd.example.com has no crossdomain.xml, however.

edit/^updated info]]> Albino CSRF and Session Info Wed, 08 Jun 2011 22:03:49 -0500 http://sla.ckers.org/forum/read.php?4,35897,35897#msg-35897 Cpanel Password (no replies) http://sla.ckers.org/forum/read.php?4,35897,35897#msg-35897 There is a website in which I have uploaded a phpshell with user permission and this site contains cpanel v11 I can show all files in the site .. even the files in /home/site/ Directory and I can edit, remove, and add anything because I have user permission. Now, I wanna know the password of the cpanel to completely control this site, so where is the password of the cpanel is saved?
Thank u in advance]]> the_storm CSRF and Session Info Tue, 25 Jan 2011 21:16:19 -0600 http://sla.ckers.org/forum/read.php?4,35612,35612#msg-35612 Detecting CSRF with static analysis (13 replies) http://sla.ckers.org/forum/read.php?4,35612,35612#msg-35612
Im doing my master thesis at the moment in the field of static analysis. Currently Im trying to come up with ways to detect CSRF or potential CSRF. However, it seems to me that for CSRF it is inheretly impossible to detect it statically.

- Taint propagation does not work since there is nothing to taint
- Model checking is not possible
- pattern matching is implausible since there are infinite many ways to implement countermeasures against csrf

Im out of options, am i missing something or should I give up?

Any help is greatly appericiated.]]> database CSRF and Session Info Fri, 07 Jan 2011 19:54:01 -0600 http://sla.ckers.org/forum/read.php?4,35596,35596#msg-35596 Javascript SOP bypassing (1 reply) http://sla.ckers.org/forum/read.php?4,35596,35596#msg-35596
I'd like to work on new possibilities to bypass the same origin policy of Javascript. There has been a bug in safari before and it seemed to be pretty simple doing it this way. I'm sure there are working possibilities to break out of the SOP.

My vendors:

Mozilla Firefox
Microsoft IE 8
Google Chrome

Safari doesn't make much sense for me because I'm not a Mac user.

If anyone like to work on this together with me, feel free to say hello. If I got any vulnerabilities, I gonna post them.

Regards,

Jean Pascal Pereira]]> Jean Pascal Pereira CSRF and Session Info Sun, 19 Sep 2010 16:30:13 -0500 http://sla.ckers.org/forum/read.php?4,34598,34598#msg-34598 HTTP split / CRLF attack (no replies) http://sla.ckers.org/forum/read.php?4,34598,34598#msg-34598
There is a application developed in asp/.net that was vulnerable to http split attacks. There was a input parameter sent in GET requests that was used as part of the location reader on the redirect. So, we just inserted a CRLF and we could create fake headers.

They mitigated the problem, but I'm unsure if it's really a good mitigation.

Now, it only prints on the location header until it reach a CR or LF character, so I'm unable to add more headers.

However, if I add two CRLF in sequence I see the next headers are sent and interpreted by the browser as HTML (body contents).

The input also filters <, >, ' and ".

Also, all data that I insert on this field always generate a redirect (302 HTTP code) to another webpage.

Inserting stuff like

foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent- Length:%2019%0d%0a%0d%0a<html>test</html>

Doesn't work, I always get again the redirected page. Probable because this supposed headers are never sent as headers because of the input filter, if I add two CRLF they turn in body contents and appear as text.

XSS could be possible, but unhappily the filters of <, >, ' and " prevent me to exploit it. I could set the utf-7 on header and send encoded contents, but again I can't manipulate the headers.

Any idea if exploitation is possible?]]> rickm CSRF and Session Info Tue, 01 Jun 2010 10:49:17 -0500 http://sla.ckers.org/forum/read.php?4,34591,34591#msg-34591 alternatives to session fixation? (2 replies) http://sla.ckers.org/forum/read.php?4,34591,34591#msg-34591
I've got write access to cookies on a certain hypothetical application. I'm wondering if there are any attacks that can be used aside from session fixation, which isn't an option since the app generates a new session ID on login - if I change someone else's session ID to mine it just logs them in as me, which isn't terribly useful.

The contents of the cookie aren't reflected in the html anywhere I can find so I don't think XSS is an option. I'll report the vuln whether or not any major attacks can be launched with it, but a decent POC helps with getting taken seriously.

edit: It can be used for XSS by logging them into my account but the session ID has httponly set and I can't alter this so the XSS is essentially useless.]]> Albino CSRF and Session Info Mon, 28 Jun 2010 11:09:18 -0500 http://sla.ckers.org/forum/read.php?4,34490,34490#msg-34490 JSON help (2 replies) http://sla.ckers.org/forum/read.php?4,34490,34490#msg-34490
A web application is sending data in this format:

{"t":1,"p":1,"r":1,"rows":[{"i":0,"c":["n","H, C","A","5","T","n"]}]}

and i am using this code to get the JSON from my web site:

<script>
Object.prototype.__defineSetter__("t",function(obj){alert(1);for(var i in obj) {alert(i + '=' + obj);} });
</script>
<script defer="defer" src="http://XXX.XXX.XXX.X/main"/> // this points to the json
</script>

Is there anything wrong with the code or the format of JSON? I am using the following browsers to write the POC,

1. Firefox 3.6.3
2. IE 7.0.5730.13

Does these browsers allow setters/getters, please suggest a browser for running the PoC.]]> zatoichi CSRF and Session Info Tue, 18 May 2010 02:01:19 -0500 http://sla.ckers.org/forum/read.php?4,34472,34472#msg-34472 Authenticating a victim under an attacker's credentials (3 replies) http://sla.ckers.org/forum/read.php?4,34472,34472#msg-34472
The attack can be just a CSRF which submits the attackers credentials to log in the victim and then redirects them to the site. Many to most authentication schemes don't have nonces in the login form.

What attacks does this allow? I see a few:
1. Getting someone to enter info that only they know (data extraction). This could involve passwords, CC numbers, SSNs, Intellectual Property, and pretty much any other data or actions involved in the application.
2. Framing someone for hacking.
3. Taking advantage of someone else's hard work (taking surveys, entering raffles, etc).


I know that there is a big issue with the victim noticing that the system is treating them like a different user, but's lets ignore that.

What do your devious minds see?]]> clayfox CSRF and Session Info Fri, 14 May 2010 09:26:10 -0500 http://sla.ckers.org/forum/read.php?4,34117,34117#msg-34117 Can Referer be forged via CSRF over HTTP, or on recent browsers? (9 replies) http://sla.ckers.org/forum/read.php?4,34117,34117#msg-34117
1. If the site uses only SSL, are there any ways to bypass the Referer check? Can a Referer header be forged in a CSRF attack if all links are over HTTPS? (I know that a malicious client can send any headers it wants, but I'm talking about a CSRF attack scenario: the victim is using an ordinary browser to access a malicious website, which wants to trick the browser into visiting the target website using a forged Referer header.)

2. If user is using a recent browser, are there any ways to bypass the Referer check? I know that older versions of Flash allow spoofing Referer headers, but I'm not familiar with the current state of Referer header spoofing. Given the population of browsers out there today, are there exploits to spoof the Referer header? If not, how old a browser or how old a plugin would the user have to be using, to be vulnerable to CSRF attacks that spoof the Referer header? How many users use browsers/plugins that are that old?

Thanks for the information!]]> bimn CSRF and Session Info Thu, 29 Apr 2010 16:02:25 -0500 http://sla.ckers.org/forum/read.php?4,33893,33893#msg-33893 hacking ASP session state (2 replies) http://sla.ckers.org/forum/read.php?4,33893,33893#msg-33893
I'm doing a test against an IIS 6 box with session state enabled. Sessions are tracked completely server side by a url like such:

websitedotcom/(S(1ngoc045sslvlc45tazuhg45))/AppPages/address/changeaddress.aspx

or

websitedotcom//(S(j4nd2sjarzlj5ejved0irh2u))/apppages/changeaddress.aspx

So each time you visit the site, it's a new URL, also the session state tends to change during automated scans. Has anyone ran into this problem? Most automated tools break trying to scan or spider (Acunetix, Paros).


Any ideas on approach?]]> bflavor2 CSRF and Session Info Thu, 18 Mar 2010 21:45:04 -0500 http://sla.ckers.org/forum/read.php?4,33869,33869#msg-33869 javascript hijacking (17 replies) http://sla.ckers.org/forum/read.php?4,33869,33869#msg-33869
Everything I read about javascript hijacking seems to be out of date (or was always wrong). Everything is saying overwrite the Object or Array constructor, but the object and array constructors don't get executed for literal object/array syntax.

JSON: [["one","two],["a","b","c"]]

<script src="page_returning_json" />

This does NOT cause the Array constructor to execute, so overwriting it is useless. Has this exploit been solved by the browsers? Is there something I'm not getting?]]> clayfox CSRF and Session Info Tue, 23 Mar 2010 11:07:58 -0500 http://sla.ckers.org/forum/read.php?4,33717,33717#msg-33717 NTLMAps, Paros, Burp Breaking during NTLM authentication (no replies) http://sla.ckers.org/forum/read.php?4,33717,33717#msg-33717
The HTTP Header sent in response to a HTTP is request is :

HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Www-Authenticate: Negotiate
Date: Thu, 04 Mar 2010 08:42:08 GMT

NTLMApp is generating this debug info:

*** Server 'Content-Length' found to be 0.
*** Authentication routine started.
*** Got Error 401 - "WWW authentication required".
*** Authentication methods allowed: Negotiate
*** Sent 483 bytes and have to roll back POST/PUT data transfer. (Client's buffer - 0 bytes)
Rollback Done. (Client's buffer - 483 bytes)
*** There are no supported authentication methods in the Web Server response.
*** Passing 401 to client.
*** Authentication routine finished.
*** Sending remote server response header to client...Done.
*** Sent 483 bytes to remote server. (all - 1)
*** Sent ALL the data from client to remote server. (Client buffer - 0 bytes)
*** Resetting client status...Done. (Client buffer - 0 bytes)
*** Resetting remote server status...Done. (Server buffer - 0 bytes)
*** Request completed.
*** Got remote server response header.
*** Remote server header:
=====
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 04 Mar 2010 08:42:08 GMT
Connection: close
Content-Length: 326

*** Exception getting http code from client_head_obj -- remote end closed connection??

Burp is also breaking because of this request?

I am guessing that the since the tag

Www-Authenticate: NTLM is missing, they tool is not able to identify the authentication mechanism.

Is this assumption correct, can anybody please help me in solving the problem?]]> zatoichi CSRF and Session Info Thu, 04 Mar 2010 23:47:45 -0600 http://sla.ckers.org/forum/read.php?4,33604,33604#msg-33604 Price input 'hack' (2 replies) http://sla.ckers.org/forum/read.php?4,33604,33604#msg-33604
Basically at one point data is sent to the server that includes a 'price' value and a 'price_hash' value. Now, if you mess with the price value you get the expected error due to the hash. However if you put through an order for £10 worth of goods, record the hash, restart, fill up with huge amounts of product then replace the new price and hash with the £10 ones....well, you can guess the rest.

What I was curious about was if it'd be possible for me to gather examples of prices and their associated hashes and brute force them to, for example, produce a hash for $0, or a negative value and have them invoice me negative amounts. :)

As you can gather, I'm not really that clued up on encryption (it's one of the things I instantly forget about after I'm done using it) so any advice is appreciated.

Cheers.

Input examples:

17.50 7C8E283FF7133E2E2872C63B8195F925
10.00 F943DC9D1234331A2069365038506EEB
30.00 E0AB069FC2D5529AD907E0A6D57EEC51
35.00 60ABFA6AC3CBAC82826D44F06E0F8A83
40.00 76595D0C6D3FEDE0CBD1F8ECA2EACDA9
45.00 02517D0681943C8819175EE33C9CA106
50.00 D0616CC0066BFE5DDB965FABA90F5038
55.00 1E08B86F83A4EBDCD4BC16906BD61A68


Edit: Apologies if this is the wrong forum, I wasn't sure where'd be best.]]> _Andy CSRF and Session Info Fri, 26 Feb 2010 03:02:19 -0600 http://sla.ckers.org/forum/read.php?4,33109,33109#msg-33109 anti-CSRF token implemented only in the cookie (5 replies) http://sla.ckers.org/forum/read.php?4,33109,33109#msg-33109
When they post data, they use javascript to get the anti-CSRF token from the cookie, and check the token in the background application between the post data and cookie data.

How do you think about this implemention?]]> joel CSRF and Session Info Fri, 29 Jan 2010 08:16:56 -0600 http://sla.ckers.org/forum/read.php?4,33036,33036#msg-33036 how i found a CSRF Bug ? (6 replies) http://sla.ckers.org/forum/read.php?4,33036,33036#msg-33036 i want to learn a CSRF,but i know it is.

but i dont know how is based..

thanks]]> the_master CSRF and Session Info Mon, 18 Jan 2010 09:25:14 -0600 http://sla.ckers.org/forum/read.php?4,32771,32771#msg-32771 Data encoding - crackable? (8 replies) http://sla.ckers.org/forum/read.php?4,32771,32771#msg-32771 I've been trying to decipher the cookie structure of a website and am hopeful some of you have more experience in this matter.

There is a certain passphrase in the website's cookie that allows the user to be logged in without explicitly entering any user data. The cookie comes with a lot of extra useless data, because I found that it's possible to reduce the complete cookie string to only the specific part and it would still work.
Now, I was able to find a different part of the cookie that is also stored on the website. Let's call this the input code "in".

What I'm interested in, is whether or not it's possible to find the ouput hash with help of the input code on the site's server. Below is a list of in&out combinations I have generated, that may help you to decide how or if it's possible to generate "out" from "in". 

in: 93335735519988197224117
out: b6e61a57b71e9e805af2de6d4f6aa5ab8bb53cfb

in: 26195435616488197224117
out: 440ea6883091823653dafb01520713d4d6fba522

in: 45411135623788197224117
out: b1a32caf51f12de9f3b0eb9c6a4ed797a292c066

in: 01935335659288197224117
out: 5f64da5e645f3367c4ba0311b2063471563b5b58

in: 34029335659488197224117
out: 3efac60e094404311c306a98caf4711bc7417048

in: 24941135659688197224117
out: d575dbba4c7634d877b0696d9db96ea85b24b11c

in: 24665335659888197224117
out: a4955c063cae03039511e932d29aa7308f0e9a3c

in: 48274935660088197224117
out: f6b73696395d44bc0ddd98db2cccc2e94b18f1c6

in: 54058135660288197224117
out: c5cd59f1639a0d943ca7e273e46ca8e933f89c1b

in: 64959135660488197224117
out: 77ec22260b4503c7591a7fa590a1a8633b874d99

in: 64955535660688197224117
out: d76d7501c66d6f7a4eb0798c86b5f60c25246059

in: 79520035661188197224117
out: faba8080c07b0ca455f2940a93d21ba0f51004e1

in: 06291335661488197224117
out: 0144a1df977226f993d67e89bb8ee11bf721316f

in: 39539235661688197224117
out: 8dc7099f26b942cc0c7fd9e2e257906b30166d08

in: 29120835661888197224117
out: a19f2d206fd154ac70e0994b803b1fe2569f99c1

in: 38387535662088197224117
out: 883c069b719a2b71a4c50fa28060a027b52a46b5

in: 47230635662288197224117
out: 3f8e958366dd48bab8ef34d1a7c7b05a3c418417

in: 69501335662488197224117
out: ee06c267ed970b36a24bd54c88a42e330c078788

in: 16766335666288197224117
out: 092d28d8786382785118b1b80c50465c62fb1c6e

in: 27683335666488197224117
out: dda146137769e62607b842e5a659e3d9f89e4127

in: 30534435666688197224117
out: 8c9230934d6797fae76850af74b34d3333949ffc

in: 18607535666888197224117
out: eaaf196f69e3d087bf54c19a6d9cd97cd3dd0e7f

in: 07154035667088197224117
out: 8a08a3631f531ab2b9c2c3ca7b193c3d96849473

in: 04457435667288197224117
out: ae49a2888c3a1445171b6d87dd95ba24ce21c22c

in: 33087635667488197224117
out: 91b55929d7a5f5cd35715dfbfc6d811b4043db11

in: 36115435667688197224117
out: b2179689e8c16df7229b24b6c145401f8b561159

in: 36958935667888197224117
out: d2dca1254b96c5be66c34892dca3897accea7e38

in: 44517835668088197224117
out: 531494e84e2336404a1ee9d473204c9843eb92f5

Thanks.]]> Perow CSRF and Session Info Sun, 31 Jan 2010 18:58:08 -0600 http://sla.ckers.org/forum/read.php?4,32660,32660#msg-32660 Firefox Multi-lined Address Phishing (6 replies) http://sla.ckers.org/forum/read.php?4,32660,32660#msg-32660
Key of this thing is that Firefox, when contains special URL in address bar, allows multi-lined URL.

I cannot just copy-paste special URL because it will be filtered.

So, try to do this:
1. Go to http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php#PEBzaXJkYXJja2NhdF90d2l0dGVyX2VuY18wPmFsZXJ0KCk8QC9zaXJkYXJja2NhdF90d2l0dGVyX2VuY18wPg%3D%3D and copy-paste the output.
2. Then go to any site / [output]. For example, www.google.com/[output}
3. Firefox will load normal URL in address bar.
4. Mouse over address bar and scroll down - you will see empty address bar.

I've tested this on Firefox 3.5.5 on Windows and not sure if this reproduces on Linux.

Maybe it's possible to make a special URL that would contain phishing URL on second line? However, it's weird thing.]]> p0deje CSRF and Session Info Fri, 15 Jan 2010 05:36:38 -0600 http://sla.ckers.org/forum/read.php?4,32658,32658#msg-32658 Respecting Host Headers (1 reply) http://sla.ckers.org/forum/read.php?4,32658,32658#msg-32658 marshmellow1328 CSRF and Session Info Thu, 03 Dec 2009 00:02:46 -0600 http://sla.ckers.org/forum/read.php?4,32444,32444#msg-32444 Decloaking an internal IP (3 replies) http://sla.ckers.org/forum/read.php?4,32444,32444#msg-32444 lat CSRF and Session Info Tue, 24 Nov 2009 09:12:40 -0600 http://sla.ckers.org/forum/read.php?4,31739,31739#msg-31739 Twitter Clickjacking protection (no replies) http://sla.ckers.org/forum/read.php?4,31739,31739#msg-31739
<script type="text/javascript">
if (window.top !== window.self) {
document.write = ""; // 1
window.top.location = window.self.location; //2
setTimeout(function(){document.body.innerHTML='';},1); // 3
window.self.onload=function(evt){document.body.innerHTML='';}; //4
}
</script>

This uses four separate methods to prevent clickjacking, and there's some that I don't fully understand.

Method 1 overwrites the 'document.write' method, but I'm not sure what this prevents
Method 2 is the basic framebusting technique.
Method 3 deletes the content of the page to prevent it being clicked. This is needed in case the framing page uses some sort of anti-framebusting technique (e.g http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing/)
Method 4 deletes the content of the page once it has loaded - but I'm not sure why this is needed as well as method 3.

Does anyone have any ideas on why methods 1 and 4 are required?]]> stonedyak CSRF and Session Info Tue, 06 Oct 2009 10:06:49 -0500 http://sla.ckers.org/forum/read.php?4,31550,31550#msg-31550 Is it possible to bypass 127.0.0.1 referer check? (6 replies) http://sla.ckers.org/forum/read.php?4,31550,31550#msg-31550 The question is related to the fact that the only control the application does to prevent you from changing the admin password is checking if the string 127.0.0.1 is in the referer field.

Here's the php code.

if ( eregi ( "127.0.0.1", $_SERVER['HTTP_REFERER'] ) )
[...]


Thanks in advance]]> acemutha CSRF and Session Info Tue, 29 Sep 2009 05:21:46 -0500 http://sla.ckers.org/forum/read.php?4,31543,31543#msg-31543 Is that a robust defense to csrf by on check the referrer? (2 replies) http://sla.ckers.org/forum/read.php?4,31543,31543#msg-31543 joel CSRF and Session Info Mon, 21 Sep 2009 07:27:13 -0500