[cl-weblocks-devel] Re: #45: Don't use gensym for actions to avoid XSS attacks
Alexander Kjeldaas
alexander.kjeldaas at gmail.com
Wed Aug 1 20:54:28 UTC 2007
One user accessing another user's stuff is not the attack I am describing.
The attack I am describing is a purely destructive *someone making a user do
stuff* attack. Get a user to do something that they didn't really intend to
do. In order to do this, one only need to get the user to click on a link
that has a guessed action in it.
For example, if there's a "delete account" action on a weblocks page where
the action id is guessable, *someone* can post a link somewhere that makes
people delete their accounts.
If the action id is unguessable, or the session id is part of the url, then
this attack is not possible.
A third option is to add a framework for confirmation of "important"
actions.
On 8/1/07, cl-weblocks <cl-weblocks-devel at common-lisp.net> wrote:
>
> #45: Don't use gensym for actions to avoid XSS attacks
>
> ------------------------+---------------------------------------------------
> Reporter: anonymous | Owner: sakhmechet
> Type: defect | Status: new
> Priority: low | Milestone: 0.2
> Component: weblocks | Version: pre-0.1
> Resolution: | Keywords: security
>
> ------------------------+---------------------------------------------------
> Changes (by sakhmechet):
>
> * milestone: => 0.2
> * priority: critical => low
> * version: => pre-0.1
>
> Comment:
>
> I don't think this is an issue. Weblocks stores actions per session
> specifically so that a user cannot access another user's actions (unless
> the session has been highjacked). If a malicious site generates a lot of
> 'transfer' actions the user still won't be able to access them.
>
> It's probably better to use a scheme that makes action URLs harder to
> guess anyway, but this isn't critical. Moving to 0.2.
>
> --
> Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45>
> cl-weblocks <http://common-lisp.net/project/cl-weblocks>
> cl-weblocks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/cl-weblocks-devel/attachments/20070801/5f0a03bc/attachment.html>
More information about the Cl-weblocks-devel
mailing list