Simon Willison’s Weblog

Django: Security fix released. The Django admin used to save partially-submitted forms if your session expired, and continue the submission when you logged in. It turns out that’s actually an unblockable CSRF exploit and is hence broken as designed, so it’s now been removed. Thanks Ed Eliot and other GCap colleagues for helping me flesh out the potential attack.

# 3rd September 2008, 12:14 am / csrf, django, security, exploit, edeliot, gcap

ratproxy. “A semi-automated, largely passive web application security audit tool”—watches you browse and highlights potential XSS, CSRF and other vulnerabilities in your application. Created by Michal Zalewski at Google.

# 3rd July 2008, 2:35 pm / ratproxy, proxy, michal-zalewski, google, security, testing, xss, csrf

Crossdomain.xml Invites Cross-site Mayhem. A useful reminder that crossdomain.xml files should be treated with extreme caution. Allowing access from * makes it impossible to protect your site against CSRF attacks, and even allowing from a “circle of trust” of domains can be fatal if just one of those domains has an XSS hole.

# 15th May 2008, 8:06 am / jeremiahgrossman, flash, javascript, security, csrf, xss, crossdomainxml

CSRF presentation at RSA 2008. It terrifies me how few people understand CSRF, years after it was discovered. I’ll say it again: if you’re a web developer and you don’t know what that acronym means, go spend an hour reading about it—because the chances are your applications are vulnerable.

# 12th April 2008, 10:52 am / jeremiahgrossman, csrf, rsa, rsa2008, security

Major Update to Prism (via) Mozilla’s site-specific browser tool can now use separate profiles (and hence separate cookie jars) for each instance, making it an excellent tool for protecting yourself against CSRF vulnerabilities in the web applications you rely on.

# 10th March 2008, 2:03 pm / csrf, prism, mozilla, sitespecificbrowsers, cookies

David Airey: Google’s Gmail security failure leaves my business sabotaged (via) Gmail had a CSRF hole a while ago that allowed attackers to add forwarding filter rules to your account. David Airey’s domain name was hijacked by an extortionist who forwarded the transfer confirmation e-mail on to themselves.

# 26th December 2007, 12:16 pm / csrf, google, gmail, security, david-airey

Site-specific browsers and GreaseKit. New site-specific browser tool which lets you include a bunch of Greasemonkey scripts. For me, the killer feature of site-specific browsers is still cookie isolation (to minimise the impact of XSS and CSRF holes) but none of the current batch of tools advertise this as a feature, and most seem to want to share the system-wide cookie jar.

# 25th October 2007, 7:56 am / greasekit, csrf, javascript, greasemonkey, cookies, safari, security, sitespecificbrowsers, webkit, xss, chris-messina

hasAccount. Stuart proposes a light-weight API for letting any site know if a user has an account (and is signed in) on another service. I wouldn’t want to deploy this without being confident that my CSRF protection was in order.

# 28th September 2007, 9:10 am / csrf, stuart-langridge, crossdomain, json, api, accounts

WebRunner 0.7—New and Improved. A simple application for running a site-specific browser for a service (e.g. Twitter, Gmail etc). This is a great idea: it isolates your other browser windows from crashes and also isolates your cookies, helping guard against CSRF attacks.

# 27th September 2007, 1:55 pm / webrunner, security, csrf, browsers, twitter, gmail, xulrunner, sitespecificbrowsers

Google GMail E-mail Hijack Technique. Apparently Gmail has a CSRF vulnerability that lets malicious sites add new filters to your filter list—meaning an attacker could add a rule that forwards all messages to them without your knowledge.

# 27th September 2007, 10:29 am / gmail, security, google, csrf, vulnerability

CSRF Redirector. Smart tool for testing CSRF vulnerabilities, by Chris Shiflett.

# 18th July 2007, 7:45 am / chris-shiflett, csrf, security

Chris Shiflett: My Amazon Anniversary. Chris Shiflett discloses an unfixed CSRF vulnerability in Amazon’s 1-Click feature that lets an attacker add items to your shopping basket—after reporting the vulnerability to Amazon a year ago!

# 16th March 2007, 10:16 am / csrf, security, chris-shiflett, amazon

JSON is not as safe as people think it is. Joe Walker reminds us that even authenticated JSON served without a callback or variable assignment is vulnerable to CSRF in Firefox, thanks to that browser letting you redefine the Array constructor.

# 5th March 2007, 10:51 pm / joe-walker, json, csrf, security

Chapter 15: Other contributed sub-frameworks (djangobook.com). Includes detailed documentation of the powerful (but under-exposed) sites framework, flatpages and CSRF protection.

# 19th December 2006, 10:14 am / django-book, django, csrf

Cross-site request forgery (CSRF). Somehow this vulnerability is news to me.

# 6th May 2005, 11:07 pm / csrf, security