Simon Willison’s Weblog

Subscribe

Wednesday, 24th September 2008

Robust Defenses for Cross-Site Request Forgery [PDF]. Fascinating report which introduces the “login CSRF” attack, where an attacker uses CSRF to log a user in to a site (e.g. PayPal) using the attacker’s credentials, then waits for them to submit sensitive information or bind the account to their credit card. The paper also includes an in-depth study of potential protection measures, including research that shows that 3-11% of HTTP requests to a popular ad network have had their referer header stripped. Around 0.05%-0.10% of requests have custom HTTP headers such as X-Requested-By stripped.

# 9:40 am / pdf, http, csrf, paypal, logincsrf, phishing, security, xrequestedby

Mark Zuckerberg speaking at FOWA. The Future of Web Apps Expo is just a few weeks away, and Mark Zuckerberg is the surprise keynote. I’m chairing the developer track again this year.

# 1:11 pm / events, carsonified, fowa, facebook, future-of-web-apps, mark-zuckerberg

Decorator to limit request rates to individual views. Neat piece of code for public facing web APIs written in Django. Update: some smart criticisms in the comments.

# 1:13 pm / django, decorators, apis, python, rate-limiting

csrf_protect.php. A PHP class for applying CSRF protection to existing PHP applications, using output buffering to rewrite any POST forms on a page. Heavily inspired by Django’s CSRF middleware. Tell me if you spot any bugs!

# 2:52 pm / projects, code, php, csrf, security, middleware, outputbuffering

Secure mashups with dojox.secure (via) dojox.secure is brilliant and terrifying at the same time. It provides a full featured API for running untrusted JavaScript in a sandbox, by parsing and validating that code against a variant of Douglas Crockford’s ADsafe JavaScript subset. It could be fantastically useful, but it’s difficult to judge how secure this approach really is.

# 4:08 pm / dojox, dojo, javascript, security, sandboxing, adsafe, kriszyp, dojoxsecure, mashups

Logout/Login CSRF. Alf Eaton built an example page (this link goes to his description, not the page itself) that uses a login CSRF attack to log you in to Google using an account he has created. Scary.

# 10:18 pm / google, alf-eaton, security, csrf, logincsrf

html-whitelist (via) DeWitt Clinton’s web service wrapper aroud the html5lib HTML sanitiser, hosted on AppEngine.

# 11:54 pm / appengine, dewitt-clinton, sanitisation, html5, html5lib, security

freebase-suggest (via) A jQuery plugin that performs auto-completion against the Freebase JSONP API, and allows the results to be limited to specific categories or subsets.

# 11:58 pm / autocomplete, freebasesuggest, freebase, javascript, jquery, metadata, jsonp