I say *most* because if you can snoop on the HTTP traffic, you theoretically could capture the in-plain-text CSRF token the server handed the user once they were generated one (from being on a user account to reset my password page). An attacker could form a valid POST using the CSRF just captured and I think it would work.
--
Brian Bouterse
ITng Services
-- Not even validating that the IP is the same for each CSRF would solve the problem either considering these two users are probably going to be in a coffeeshop, behind a NAT.
One possible solution would be to have some kind of hardware attestation or browser attestation and tie session info to that. If anyone has any thoughts on how this could be done, please let me know.
Brian
On Mon, Oct 25, 2010 at 6:47 AM, cootetom <cootetom@gmail.com> wrote:
Hi, a firefox extension was recently released to grab session ID
cookies from a private network for the popular sites like facebook etc
You can read about it here http://goo.gl/x4Z1
I was wondering how Django sits with this type of attack. I know there
are the CSRF tokens, do they prevent this though? I thought they were
just for form posts?
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
--
Brian Bouterse
ITng Services
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment