{"id":170,"date":"2008-04-29T19:31:31","date_gmt":"2008-04-30T00:31:31","guid":{"rendered":"http:\/\/www.wiredprairie.us\/blog\/index.php\/archives\/170"},"modified":"2008-04-29T19:31:31","modified_gmt":"2008-04-30T00:31:31","slug":"csrf-yet-another-security-issue-you-should-worry-about-now","status":"publish","type":"post","link":"https:\/\/www.wiredprairie.us\/blog\/index.php\/archives\/170","title":{"rendered":"CSRF – yet another security issue you should worry about NOW."},"content":{"rendered":"

Read this<\/a>. <\/p>\n

CSRF<\/a> (wikipedia), a cross-site request forgery, is one of the most recent and under-publicized attacks on the web. It boils down to a user browsing to a web site, downloading a web page, and unknowingly, submitting requests to other web servers, usually with malicious intent. The example linked above demonstrates a hack where a specially crafted URL is formed that actually changes the settings on a common DSL router used in Mexico (by relying on the fact the user name\/password combination is well known and unlikely to have changed). <\/p>\n

If you allow user input in a web application our on a web site (even as part of a forum or blog comments), you could be unwittingly providing hackers a friendly spot in which they can inject these well-formed, but malicious URLs to be hosted. Unfortunately, they’re very difficult to track down. <\/p>\n

I moderate all comments on my web site so that no unwanted links become published. <\/p>\n

But, if you write software — consider all avenues of data entry, etc. Trust NO INPUT. Don’t trust the data that is in your database. Assume that it has been compromised. Assume nothing. <\/p>\n","protected":false},"excerpt":{"rendered":"

Read this. CSRF (wikipedia), a cross-site request forgery, is one of the most recent and under-publicized attacks on the web. It boils down to a user browsing to a web site, downloading a web page, and unknowingly, submitting requests to other web servers, usually with malicious intent. The example linked above demonstrates a hack where […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[4,8],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pd5QIe-2K","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":174,"url":"https:\/\/www.wiredprairie.us\/blog\/index.php\/archives\/174","url_meta":{"origin":170,"position":0},"title":"Top 10 web security vulnerabilities","date":"May 2, 2008","format":false,"excerpt":"Check out the top 10 for 2007 security vulnerabilities for web applications presentation here (available as a PowerPoint presentation). The top 10 is: Cross site scripting (XSS) Injection flaws Insecure remote file include Insecure direct object reference Cross site request forgery (CSRF) Information leakage and improper error handling Broken authentication\u2026","rel":"","context":"In "Coding"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":426,"url":"https:\/\/www.wiredprairie.us\/blog\/index.php\/archives\/426","url_meta":{"origin":170,"position":1},"title":"Visual WebGUI — Uh? Neat technology for someone else.","date":"July 16, 2008","format":false,"excerpt":"At the top of the page linked above, you can try the Ajax version or the Silverlight version of their web-mail demo. Try it. I won't say that I'm not impressed by what they've accomplished technically. It's impressive. They use a WinForms designer to build parts of the user interface\u2026","rel":"","context":"In "Coding"","img":{"alt_text":"image","src":"https:\/\/i0.wp.com\/www.wiredprairie.us\/blog\/wp-content\/uploads\/2008\/07\/image-thumb2.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":217,"url":"https:\/\/www.wiredprairie.us\/blog\/index.php\/archives\/217","url_meta":{"origin":170,"position":2},"title":"The ASP.NET Single Page Interface and AJAX Patterns","date":"May 9, 2008","format":false,"excerpt":"Posted on MSDN, by Dino Esposito, \"Single Page Interface and AJAX Patterns.\" What is it? From the article... Single-Page Interface Model To take full advantage of AJAX, you need to have all of your features, or at least most of them, in a single page. This is known as the\u2026","rel":"","context":"In "Coding"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1749,"url":"https:\/\/www.wiredprairie.us\/blog\/index.php\/archives\/1749","url_meta":{"origin":170,"position":3},"title":"Nest Update #12: Software at 3.0 with New Features","date":"October 3, 2012","format":false,"excerpt":"As the blogosphere exploded yesterday with news of a second generation Nest thermostat and a new major version of the software (for the thermostats and the controllers such as the web site and various SmartPhones), I wondered what impact the new software and hardware would have on average users, like\u2026","rel":"","context":"In "Recommendations"","img":{"alt_text":"IMG_0630","src":"https:\/\/i0.wp.com\/www.wiredprairie.us\/blog\/wp-content\/uploads\/2012\/10\/IMG_0630.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":1754,"url":"https:\/\/www.wiredprairie.us\/blog\/index.php\/archives\/1754","url_meta":{"origin":170,"position":4},"title":"Nest Thermostat API using Node JS and Nest API Update","date":"October 9, 2012","format":false,"excerpt":"I\u2019ve been asked by a few people for more details on the API Nest Labs uses for their thermostats, especially regarding setting data (and not just polling). The API uses mostly JSON formatted data POSTed to their web servers. Authentication To authenticate, POST the username and password, encoded as form\u2026","rel":"","context":"In "Coding"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1340,"url":"https:\/\/www.wiredprairie.us\/blog\/index.php\/archives\/1340","url_meta":{"origin":170,"position":5},"title":"Nest Thermostat Review, Update #1","date":"December 27, 2011","format":false,"excerpt":"After a few weeks of using the Nest thermostat, I\u2019ve got a few more comments that I\u2019d like to share. (Here\u2019s my post about the installation). The learning feature honestly hasn\u2019t been very useful in the first few weeks. It\u2019s apparently easily confused by days that you're home unexpectedly (for\u2026","rel":"","context":"In "General"","img":{"alt_text":"image","src":"https:\/\/i0.wp.com\/www.wiredprairie.us\/blog\/wp-content\/uploads\/2011\/12\/image_thumb3.png?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.wiredprairie.us\/blog\/index.php\/wpjson\/wp\/v2\/posts\/170"}],"collection":[{"href":"https:\/\/www.wiredprairie.us\/blog\/index.php\/wpjson\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wiredprairie.us\/blog\/index.php\/wpjson\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wiredprairie.us\/blog\/index.php\/wpjson\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wiredprairie.us\/blog\/index.php\/wpjson\/wp\/v2\/comments?post=170"}],"version-history":[{"count":0,"href":"https:\/\/www.wiredprairie.us\/blog\/index.php\/wpjson\/wp\/v2\/posts\/170\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wiredprairie.us\/blog\/index.php\/wpjson\/wp\/v2\/media?parent=170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wiredprairie.us\/blog\/index.php\/wpjson\/wp\/v2\/categories?post=170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wiredprairie.us\/blog\/index.php\/wpjson\/wp\/v2\/tags?post=170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}