Sign in / up

* Posts by Kier

6 publicly visible posts • joined 9 May 2007

Cross-site hacks and the art of self defence

Kier
Alert

Can't rely soley on HTTP_REFERER

HTTP_REFERER is a good defence, but can not be the sole defence, because certain systems remove the referrer from requests (yes, I'm looking at you, Norton Internet Security).

GET should never do anything but fetch content for viewing. http://example.com/script?do=delete&what=all_my_stuff is going to be bad news.

POST should always be used for data-altering actions, but as forms can be forged and auto-submitted using javascript, this should not be relied upon as the sole defence either.

If you avoid auto-submission of forms by disabling javascript, you're still not safe from form forgery. Consider this:

<form action="bank.com" method="post">

<input type="hidden" name="do" value="transfer" />

<input type="hidden" name="account" value="12345678" />

<input type="hidden" name="value" value="5000.00" />

Rate this image:

<input type="radio" name="rating" value="3" />Great

<input type="radio" name="rating" value="2" />Mediocre

<input type="radio" name="rating" value="1" />Terrible

<input type="submit" value="Go" />

The only secure defence right now is the security token.

0 0

Ofcom slices up the digital dividend

Kier
Stop

Regulator?

Isn't the role of a regulator to work in the interests of the public and ensure that this sort of crap doesn't happen?

0 0

Keyboard PC design recalls Amiga era

Kier

8 bit?

The Amiga 500 (the first of the keyboard-style Amigas) was 16 bit, while the successor, the Amiga 1200 was a 32 bit machine.

If we're talking about a keyboard-style computer from Commodore, perhaps the article is in fact referring to the Commodore 64?

0 0

How HMRC gave away the UK's national identity

Kier

Incredible data ineptitude

And the government wonders why some of us have such strong objections to their lunatic ID card scheme...

0 0

Blank media levy breaches should be criminal, say authors

Kier

The usage assumption is flawed

Am I alone in using blank media for purposes other than copying audio CDs? I object to paying Eminem for the benefit of backing up a directory of photos...

0 0

Dell reinvents the cardboard box

Kier

Yeah but...

This is all very laudible, but on several occasions I've had Dell send out a pair of screws in a padded A4 size box, and a two page manual in a gigantic cardboard monstrosity.

They really need to deal with their multi-box insanity of power cords in separate boxes, manuals in separate boxes, screws in separate boxes etc. in addition to this initiative.

0 0