Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Micro Earnings
Re: FaucetBOX.com Discussion
by
Kazuldur
on 08/07/2015, 20:26:33 UTC
Quote from: ptrio on July 08, 2015, 08:22:13 PM
Quote from: Kazuldur on July 08, 2015, 06:31:23 PM

Quote from: ptrio on July 08, 2015, 04:57:14 PM
I myself wouldn't trust referer headers as they could be fabricated.

While I didn't trust them too for FaucetBOX.com, how could they be fabricated in context of CSRF? If I were to attack you using CSRF I wouldn't be able to force your browser to fake the referrer.

You are right. Referer check seems to be good enough to protect against CSRF. However there's ways to get in control of someone's browser and then spoof the headers(is XSS + CSRF possible?). Also what about HTTPS or if someone's browser doesn't send the referer headers (guess 99% do but still)? That would be considered as an attack.

BTW Do you guys support p2sh for litecoin yet?

If you control someone's browser, why bother with CSRF? You can just attack directly Smiley. HTTPS isn't a problem, referrer will be correct on the site itself and possibly not set/empty when coming from other sites (then one just assumes it's invalid). If someone's browser doesn't send headers, too bad. It's not perfect solution, it's just easiest. You should generate a token, save it in session, add it as hidden input in form and compare it on request. But that require more changes, while referrer check will be sufficient for most.

Still no P2SH for Litecoin yet. No ETA either.