CSRF vs XSS: Clarifying things… You have probab…

CSRF vs XSS: Clarifying things…

You have probably crawled the web for info on these 2 security related risks and realised that is quite difficult to distinguish an attack and determine whether that attack takes advantage of a XSS or a CSRF bug/weakness…

IMO, XSS has to do with user input filtering/validation and the code devoted to the cause of preventing malicious input through a i.e. search textbox on a site. The more you try to filter characters like , ;, %, # the more you protect your site against XSS attacks. So, XSS = poor input/character validation.

In the case of CSRF (aka session riding), the attacker has to predict, in some way, the structure of the app/site he is trying to attack and a valid user’s typical functions on the site. In fact, he has to know the actual operations performed by a site’s user and the way the requests for those are made (GET or POST) along with the session/state mechanisms introduced and deployed by the site. This is the actual meaning of the hype term: predictable structure for invocation. Keep in mind that the best way to know a site is to become a member, so this brings us to the worst case of stored CSRF attacks, according to which the site that is under attack and the actual carrier of the malicious coding is the same.

More to the story of CSRF and XSS as it develops…

When the internet user (YOU!) becomes the victim a…

When the internet user (YOU!) becomes the victim and the accomplice…Cross-Site Request Forgery as high-tech identity theft and misinpersonation

Take a normal Web user who works on the PC who visits sites, buys online, talks online and neglects to erase the cookies tracking the online activity….Mark this as people’s exhibit 1!

The user who visits forums to exchange ideas with others. Forum topics by other users contain text and images…STOP! Images! Mark this as people’s exhibit 2!

Images seem harmless to the eye, but their src attribute can contain whichever resource/site or script snippet the coder wants them to contain…and therefore even a malicious action/request that’s performed against the site – target! Mark this as people’s exhibit 3!

Mix all 3 elements together and you have Cross Site Request Forgery. A misleading act, which involves impersonating another user (the victim) against a site he/she has used, yet for no legitimate use or cause.

And here are the horrifying facts against the 3 elements previously discussed:

- The attacker knows the sites the victim visits, the sites that store cookies for the victim.
- The attacker hopes the target site works on persistent authentication cookies, or the victim has a current session cookie or the victim has neglected to delete/clear his/her cookies when the browser’s session ends or forgot to log off.
- The target site doesn’t perform secondary authentication for advanced transaction, as a precaution to identity theft or misinpersonation.
- The more sites you visit, the more your risk increases.
- The user has no clue as to what’s happening. The user becomes the accomplice. The user becomes the victim.
- That user is you!Me!Everybody surfing oblivious of the dangers, obvious and well hidden that lurk in the universal Internet of 0’s and 1’s.

Perhaps these diagrams can clear things out on how CSRF works
Need more proof? Read on:

http://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_6
http://en.wikipedia.org/wiki/Csrf

get ready for a technical one titled: "FLASH MX 2…

get ready for a technical one titled:

“FLASH MX 2004 & SORENSON SQUEEZE: A video Odyssey – volume 1″

i have been testing Macromedia Flash MX 2004 for it’s video importing & serving capabilities along with Sorenson Squeeze.

Background: Flash MX 2004 uses Sorenson Spark codec whenever you import a video source file and want to make it a .swf, in order to serve it through the Internet. Sorenson Squeeze uses the Pro edition of Spark.

CONCLUSION #1: better quality, smaller file sizes can be achieved using the later (Squeeze)

So, i prepared all my videos using Squeeze bearing in mind that dial-up connections should be served with low bit rate – small frame size videos.

Next step was to create an .fla containing a preloader that could provide feedback on the % of the video loaded to the user who waits…. Wishful thinking….Each and every video-swf made with Squeeze seemed to serve itself in a streaming kind of way. What happened?

Whenever i simulated download (ctrl+enter) preloader started and at 2-3% the movie appeared, freezed for 2-3 seconds, then started playing, then freezed again….The preloader was rendered useless as you can imagine…

Of course, when i decided to serve the movie-swf on it’s own everything was ok: a flash movie that appeared to stream over the Web…

CONCLUSION #2: (maybe i should) turn to .FLV video solution…

TO BE CONTINUED >

I decided to dig into UML diagramming recently and…

I decided to dig into UML diagramming recently and while searching for best practices, hints ‘n’ tips (those things that you rarely find in books) i stumbled on a rather interesting and enlighting article, divided into 4 parts.

Start reading the printer friendly version here

Hope that reading it will shed some light on your UML software design quest!