[cl-weblocks-devel] Re: #45: Don't use gensym for actions to avoid XSS attacks

Alexander Kjeldaas alexander.kjeldaas at gmail.com
Wed Aug 1 20:54:28 UTC 2007


One user accessing another user's stuff is not the attack I am describing.
The attack I am describing is a purely destructive *someone making a user do
stuff* attack.  Get a user to do something that they didn't really intend to
do.  In order to do this, one only need to get the user to click on a link
that has a guessed action in it.

For example, if there's a "delete account" action on a weblocks page where
the action id is guessable, *someone* can post a link somewhere that makes
people delete their accounts.

If the action id is unguessable, or the session id is part of the url, then
this attack is not possible.
A third option is to add a framework for confirmation of "important"
actions.

On 8/1/07, cl-weblocks <cl-weblocks-devel at common-lisp.net> wrote:
>
> #45: Don't use gensym for actions to avoid XSS attacks
>
> ------------------------+---------------------------------------------------
>   Reporter:  anonymous  |       Owner:  sakhmechet
>       Type:  defect     |      Status:  new
>   Priority:  low        |   Milestone:  0.2
> Component:  weblocks   |     Version:  pre-0.1
> Resolution:             |    Keywords:  security
>
> ------------------------+---------------------------------------------------
> Changes (by sakhmechet):
>
>   * milestone:  => 0.2
>   * priority:  critical => low
>   * version:  => pre-0.1
>
> Comment:
>
> I don't think this is an issue. Weblocks stores actions per session
> specifically so that a user cannot access another user's actions (unless
> the session has been highjacked). If a malicious site generates a lot of
> 'transfer' actions the user still won't be able to access them.
>
> It's probably better to use a scheme that makes action URLs harder to
> guess anyway, but this isn't critical. Moving to 0.2.
>
> --
> Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45>
> cl-weblocks <http://common-lisp.net/project/cl-weblocks>
> cl-weblocks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/cl-weblocks-devel/attachments/20070801/5f0a03bc/attachment.html>


More information about the Cl-weblocks-devel mailing list