Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Is that a robust defense to csrf by on check the referrer?
Posted by: joel
Date: September 21, 2009 04:49AM

Implementing a anti-CSRF token will be much more complex than only check the referrer header.

Options: ReplyQuote
Re: Is that a robust defense to csrf by on check the referrer?
Posted by: hookits
Date: September 21, 2009 06:56AM

http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml

Options: ReplyQuote
Re: Is that a robust defense to csrf by on check the referrer?
Posted by: Anonymous User
Date: September 21, 2009 07:27AM

It's no robust defense - although this paper claiming it too is from 2005.

And yes - CSRF tokens are not easy to implement and don't cover all CSRF related attacks. Double-submits, extended forms, etc etc.

Also one XSS and all your CSRF protection is ashes - at least in most cases.

Options: ReplyQuote


Sorry, only registered users may post in this forum.