Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 

Current Page: 1 of 1
Results 1 - 8 of 8
4 years ago
Holyfield
@rvdh: Sorry, perhaps I should have specified that there are two releases (one Binary and one Source). Here's a direct link to the current source release: http://spf.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=31688 Regarding additional entropy within the HMAC, SPF does not attempt to generate entropy from the client. SPF is using the HMAC merely to verify that the data sent to the c
Forum: Projects
4 years ago
Holyfield
@Gareth: Yes, that attack sounds like it would work. The attacker would probably need to also create the links that they want to exploit with the click-jack too since it's not likely that by default the same forum page would have a one-click link to buying specific stocks. But provided that they had the ability to create a link on that page to their own site in the first place then this would l
Forum: Projects
4 years ago
Holyfield
First, let me start by re-iterating that all feedback received thus far is greatly appreciated – this is an excellent thread. In order to continue the conversation, I think we need to also clarify a few operational constraints that SPF is bound to: NOTE: These operational constraints are partly due to the ASP.NET HttpModule architecture and partly for purposes of SPF usability. I am happy
Forum: Projects
4 years ago
Holyfield
@Gareth: Including the source IP is only meant to prevent the token from being replayed from another machine (in the event that the token or SessionID are stolen or somehow brute-forced). This has no effect on preventing forged requests if there is a persistent XSS vulnerability in the target application. Persistent XSS is not an issue that SPF attempts to protect against by default. Regardi
Forum: Projects
4 years ago
Holyfield
@Matt -- Agreed. This is an optional configuration flag that can be set in web.config. I have also thought about loosening it to the first 3 octets of the Source IP only.
Forum: Projects
4 years ago
Holyfield
@rvdh - Thanks for testing...and sorry for the slow response (I guess I'm not getting email updates on this thread). As for the HttpRequestValidationException, I've intentionally left detailed errors enabled so that it is clear what exceptions get thrown by the Framework versus SPF. I assume the detailed error message was what you were referring to (and not an exploitable XSS vector)? Rega
Forum: Projects
4 years ago
Holyfield
@rsnake - Great, let me know if you get a chance to play around with it. And sorry for the confusion, I knew that might be an issue when I named it but liked the name anyways so I stuck with it :-).
Forum: Projects
5 years ago
Holyfield
Hey Folks, We have recently released a free IIS module written in C#, Secure Parameter Filter (or SPF for short), which aims to help protect web apps against parameter manipulation attacks. In doing so, the module also helps to prevent CSRF and reflected XSS by including an encrypted token with each request. SPF has been a project of ours for the last year, and just last week, we open sourc
Forum: Projects
Current Page: 1 of 1