| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fe37588d0712122341y558b0b42nef62fb86007d9bd9@mail.gmail.com> Date: Wed, 12 Dec 2007 23:41:57 -0800 From: "Kristian Erik Hermansen" <kristian.hermansen@...il.com> To: "Andrew A" <gluttony@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Full-Disclosure Digest, Vol 34, Issue 31 On Dec 12, 2007 9:01 PM, "Andrew A" <gluttony@...il.com> wrote: > Actually, the suggested prevention tactic is to create a post variable in > your form of type "hidden" with a securely generated one-time ticket that an > attacker would not be able to scrape without performing an xmlhttp call, > therefore signalling a (real) security problem with the app in question. > Requiring the user to re-input their login credentials for every database > write would be absolutely ridiculous from both a design and security > perspective. > > But then again, you must know all this with your extensive experience in web > app security and development. Yeah dude, we would call that a nonce. Your definition is fine too though... -- Kristian Erik Hermansen "I have no special talent. I am only passionately curious." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists