Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Current Page: 1 of 1
Results 1 - 5 of 5
6 years ago
Tentacle
I guess if the application is immune to XSS, then there is no risk of injecting a spoofed confirmator that would quietly execute the request and confirm it behind the user's back. What I am really worried about is if this can be done cross-domain? If the user surfs to a malicious site, can that site somehow execute a cross-domain ajax request and do basically the same?
Forum: CSRF and Session Info
6 years ago
Tentacle
In order to protect against CSRF, I've made a very simple protocol. All interfaces (actions on certain URI) that need protection have to be POST and called via AJAX. The system is fairly simple. The webapplication sends AJAX command to the server to perform whatever user wanted. The server invents a random token and returns back to AJAX application requesting confirmation (the response contains
Forum: CSRF and Session Info
6 years ago
Tentacle
Thanks for your answers. The reason I ask is pretty trivial. I wanted to avoid users sending plaintext passwords over the net for a particular form that requires them to resupply the password. The best thing to do would be to use HTTPS but in situations where this would not be possible, I thought maybe hashing the user password on the client side is better idea, like sending back the salt, comp
Forum: News and Links
6 years ago
Tentacle
I was looking for some info to find out whether knowing the salt of a salted SHA1 hash can facilitate its cracking, and I encountered this: www . freerainbowtables.com All I can say is, wtf?! So I thought I would share it with you... (meanwhile, does anyone know if knowing the salt facilitates cracking of SHA1? Yeah, I'm newb when it comes to cryptography)
Forum: News and Links
6 years ago
Tentacle
5. Howdy!
Just wanted to drop in and say hi! I've always been interested in webappsec, so I'm not a newby to the subject, but since there is so much to learn about it and new things are invented constantly, on both fronts, I really could benefit from picking your brains a bit. Anyways, be seeing ya around. ;)
Forum: Intro
Current Page: 1 of 1