[Catalyst] Re: CSRF
Jonathan Rockway
jon at jrock.us
Wed Oct 1 13:20:14 BST 2008
* On Wed, Oct 01 2008, Moritz Onken wrote:
> I imagine a case where the attacker's site opens a iframe to your
> site which exploits a XSS issue and can send the hole form
> information back to the attacker's site. He has now the HMAC and
> the random string.
I was under the impression that you could open an iframe to someone
else's site and manipulate it from javascript running on your own site,
without relying on any vulnerabilities on that site. Maybe not? Maybe
flash can do this? (Why do we even have iframes? For serving ads?)
Anyway, Template::Refine is a great module for adding stuff to forms, in
the event that your form builder isn't already adding some sort of
unique token. I actually use it to add the "name" field to all the
inputs; at some point I will just "encrypt" these like Seaside and many
other frameworks do. You can then validate these with an ActionClass.
Regards,
Jonathan Rockway
--
print just => another => perl => hacker => if $,=$"
More information about the Catalyst
mailing list