http://www.melbournechapter.net/wordpress/programming-languages/php/cman/2006/06/16/php-form-input-and-cross-site-attacks/ web application development with popular technologies Tue, 02 Dec 2008 07:13:38 +0000 http://wordpress.org/?v=2.0.5 http://www.melbournechapter.net/wordpress/programming-languages/php/cman/2006/06/16/php-form-input-and-cross-site-attacks/#comment-71707 Wed, 17 Oct 2007 11:39:43 +0000 http://www.melbournechapter.net/wordpress/programming-languages/php/cman/2006/06/16/php-form-input-and-cross-site-attacks/#comment-71707 as a relative newbie to all of this, I have found this very interesting. So, excusing my ignorance, once the variables have been instantiated on the mail form, how would one verify this on submission? as a relative newbie to all of this, I have found this very interesting. So, excusing my ignorance, once the variables have been instantiated on the mail form, how would one verify this on submission?

]]> http://www.melbournechapter.net/wordpress/programming-languages/php/cman/2006/06/16/php-form-input-and-cross-site-attacks/#comment-2373 Mon, 26 Jun 2006 15:46:50 +0000 http://www.melbournechapter.net/wordpress/programming-languages/php/cman/2006/06/16/php-form-input-and-cross-site-attacks/#comment-2373 [...] Content restrictions was never designed to stop basic CSRF, unless you are talking about functions that could only be affected by JavaScript, which would inherantly be stopped.  Brian’s comment that this would not help with reflected JS should be innaccurate, as any JavaScript would be affected (part of the problem was that it could end up killing valid JS on the page, which was something we were attempting to overcome in our first iteration of the idea by wrapping the possible offending output in tags to be parsed out by the browser as safe content). [...] […] Content restrictions was never designed to stop basic CSRF, unless you are talking about functions that could only be affected by JavaScript, which would inherantly be stopped.  Brian’s comment that this would not help with reflected JS should be innaccurate, as any JavaScript would be affected (part of the problem was that it could end up killing valid JS on the page, which was something we were attempting to overcome in our first iteration of the idea by wrapping the possible offending output in tags to be parsed out by the browser as safe content). […]

]]> http://www.melbournechapter.net/wordpress/programming-languages/php/cman/2006/06/16/php-form-input-and-cross-site-attacks/#comment-1978 Sat, 17 Jun 2006 04:34:34 +0000 http://www.melbournechapter.net/wordpress/programming-languages/php/cman/2006/06/16/php-form-input-and-cross-site-attacks/#comment-1978 For those reading this article you might also want to read up on my post on mail-header injection, and another method spammers use to "hijack" your mail forms. For those reading this article you might also want to read up on my post on mail-header injection, and another method spammers use to “hijack” your mail forms.

]]> http://www.melbournechapter.net/wordpress/programming-languages/php/cman/2006/06/16/php-form-input-and-cross-site-attacks/#comment-1940 Fri, 16 Jun 2006 02:39:50 +0000 http://www.melbournechapter.net/wordpress/programming-languages/php/cman/2006/06/16/php-form-input-and-cross-site-attacks/#comment-1940 Also you might want to unset the formId from your session when it is sumitted to the server. Also you will want to consider a strategy for your token_timestamp, which you can now use to make forms expire. Also you might want to unset the formId from your session when it is sumitted to the server. Also you will want to consider a strategy for your token_timestamp, which you can now use to make forms expire.

]]>