[WEB SECURITY] RE: Defeating nonce/token based CSRF protection

Mike Duncan Mike.Duncan at noaa.gov
Fri Apr 18 15:03:31 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Jeroen, sorry for the conversational mishaps, but this happens from time
to time. Hopefully it will not deter you or anyone else from using the
list as an informational gathering tool.

Thanks for asking the question. Glad we could help.

Jeroen van Dongen wrote:
> Thanks all for the answers -
> 
> Mike Duncan summarised it nicely I guess:
> "...and we are answering: Yes, this is possible but security in depth is
> the best defense against this."
> 
> Thanks again,
> Jeroen
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 

- --
Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center
151 Patton Ave.
Asheville, NC 28801-5001
mike.duncan at noaa.gov
828.271.4289
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFICPCCnvIkv6fg9hYRAhzHAJ9JD9HxkiJZ+H3PIbp+vvqYiIAT5gCeL75N
Js7pSLvRK6z6aooUyvk/h/A=
=WxXn
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list