|
|
Posted by Jerry Stuckle on 03/22/06 22:02
Chris Shiflett wrote:
>>I can easily write some PHP code (or Java, C/C++ or whatever) which will
>>simulate submission from your page. Not hard to do at all.
>
>
> Sure, but the important difference is that your PHP script is not me.
> It can't fire people. In fact, your PHP script can't do anything more
> than what you can already do with a browser. You've gained nothing.
>
> A CSRF attack would cause me to send a request to fire someone.
>
>
>>I'm disappointed in the tone used by Chung Leong.
>
>
> I won't pretend to know any history. I just prefer to ignore "tone" and
> focus on technical details.
>
>
>>As for actually writing the program to do it - it's not worth my time or
>>bother.
>
>
> I only suggested this, because I'm quite sure you can't do it. I'm not
> trying to challenge you, because I'm sure you can write code to do
> exactly what you're thinking, but that won't achieve anything. However,
> if I'm wrong, an example would both clarify and prove your point.
>
Go back and look at the original problem:
"I've been trying to come up with a way to ensure user input is coming from the
form on my site, and not auto-submitted from elsewhere, and I don't want to use
the "enter the code shown in the image" method. I know the
$_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of doing
something similar to this: <snip>"
And Chung's response:
"<snip> A check on HTTP_REFERER is actually sufficient too, since ordinary
users aren't going to be spoofing the Referer headers."
This is the statement I was arguing. And it's something which can be done quite
easily. And the code for it is actually quite simple.
Quite frankly, I don't care about whether you fire someone or not. It was not
part of the original problem.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|