Shared publicly  - 
 
Alert: Cross Site Request Forgery!

Don't know what a CSRF is?
It's when people can get things done on a site - remotely, by using other people.

Please - read more about it on the Security Information Blog and protect yourself and yoursite.

Security Information Blog >> http://bit.ly/J1KBG1

Oh - and Share this afterwards so others can learn about it to.

#CSRF #security #antihack

Image sourced from : http://www.shafi-alassmi.com/
2
1
Lyndon NA's profile photoPe lagic's profile photo
12 comments
 
It's not a troll.
It's a good piece that shows what Cross Site Request Forgeries and similar attacks are, and how they work.

Personally I was shocked when I found out,
and more so when I tested it out for myself.
 
Yes - it does
It demonstrates a forged request
It also highlights a minor flaw in Googles processing of that request.
More importantly - it shows people that they need to be alot more careful about what they click, and what the possible consequences are.
 
Its a shortened url redirect, just that, and very very common on many social platforms.

ps I'm not a big fan of using such when it totally unnecessary, this is not twitter ;)
 
No

The Bitly is a short URL redirect.

After that you get the G Logout ... which processes without confirmation, without any form of validation, no use of nonce values, no referal checks etc.

Not just a simply short url and redirect.
 
Lyndon, look at the Set-Cookies headers > 01-Jan-1990
then X-XSS-Protection > 1; mode=block
 
right.
Your point here is?

They have not supplied any form of protection against it.
Leaves me wondering what else is left wide open for such abuse?
 
1) Again - Not Trolling

2) Remote logout ... I suppose it's feasable... but unlikely.

Any system based interaction 9and I count login/logout amongst those) should be protected against CSRF.
Though it's nigh impossible to be 100% proof ... the simple inclussion/addition of Nonces goes a long way towards that.
(No, referer checks are basically useless - but any/every little bit that can be used could be used to make it that bit more work to abuse.)
 
Try > superlogout.com

AOL, Amazon, Blogger, Delicious, DeviantART, DreamHost, Dropbox, eBay, GitHub, GMail, Google, Hulu, Instapaper, Linode, LiveJournal, MySpace, NetFlix, New York Times, Newegg, Photobucket, Skype, Slashdot, SoundCloud, ThinkGeek, Threadless,Tumblr, Vimeo, Wikipedia, Windows Live, Woot, Wordpress, Yahoo!, YouTube and a few others ;)
 
+Thomas P. Bing made this change also a long while back, the reason being is that the images are increasingly cloaked and redirected ;(
Add a comment...