tag:blogger.com,1999:blog-13756280.post116105492835947834..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: More on Netflix's CSRF advisoryJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-13756280.post-1162312875436233992006-10-31T08:41:00.000-08:002006-10-31T08:41:00.000-08:00Yes, your right. That's one of the standard method...Yes, your right. That's one of the standard methods of defense. However, if the website is vulnerable to XSS, its possible for the exploit to get that randkey and manufacture a valid request.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1162292564306376942006-10-31T03:02:00.000-08:002006-10-31T03:02:00.000-08:00Hi Jeremiah.I have been seeing some sites regardin...Hi Jeremiah.<BR/><BR/>I have been seeing some sites regarding the csrf attack, and i get noticed that some sites can't be vulnerables because they have POST or GET requests such as:<BR/><BR/>-----<BR/>comment_content=my_comments%2C+another_comment.<BR/>&submit=sended+the+comment&process=newcomment&<BR/>randkey=434fcD67&link_id=50056&user_id=1986<BR/>-----<BR/><BR/>----- <BR/>https://mywebmail/imp/compose.php?<BR/>uniq=1vgyw0g863c0 <BR/>-----<BR/><BR/>There are parameters as randkey and similar which only the authenticated user can know. Am i right?<BR/><BR/>Thanks for your readings :)Emiliohttps://www.blogger.com/profile/16361221957286024934noreply@blogger.com