Simon Willison’s Weblog

Robust Defenses for Cross-Site Request Forgery [PDF]. Fascinating report which introduces the “login CSRF” attack, where an attacker uses CSRF to log a user in to a site (e.g. PayPal) using the attacker’s credentials, then waits for them to submit sensitive information or bind the account to their credit card. The paper also includes an in-depth study of potential protection measures, including research that shows that 3-11% of HTTP requests to a popular ad network have had their referer header stripped. Around 0.05%-0.10% of requests have custom HTTP headers such as X-Requested-By stripped.

# 9:40 am / csrf, http, logincsrf, paypal, pdf, phishing, security, xrequestedby

Mark Zuckerberg speaking at FOWA. The Future of Web Apps Expo is just a few weeks away, and Mark Zuckerberg is the surprise keynote. I’m chairing the developer track again this year.

# 1:11 pm / carsonified, events, facebook, fowa, future-of-web-apps, mark-zuckerberg

Decorator to limit request rates to individual views. Neat piece of code for public facing web APIs written in Django. Update: some smart criticisms in the comments.

# 1:13 pm / apis, decorators, django, python, rate-limiting

csrf_protect.php. A PHP class for applying CSRF protection to existing PHP applications, using output buffering to rewrite any POST forms on a page. Heavily inspired by Django’s CSRF middleware. Tell me if you spot any bugs!

# 2:52 pm / code, csrf, middleware, outputbuffering, php, projects, security

Secure mashups with dojox.secure (via) dojox.secure is brilliant and terrifying at the same time. It provides a full featured API for running untrusted JavaScript in a sandbox, by parsing and validating that code against a variant of Douglas Crockford’s ADsafe JavaScript subset. It could be fantastically useful, but it’s difficult to judge how secure this approach really is.

# 4:08 pm / adsafe, dojo, dojox, dojoxsecure, javascript, kriszyp, mashups, sandboxing, security

Logout/Login CSRF. Alf Eaton built an example page (this link goes to his description, not the page itself) that uses a login CSRF attack to log you in to Google using an account he has created. Scary.

# 10:18 pm / alf-eaton, csrf, google, logincsrf, security

html-whitelist (via) DeWitt Clinton’s web service wrapper aroud the html5lib HTML sanitiser, hosted on AppEngine.

# 11:54 pm / appengine, dewitt-clinton, html5, html5lib, sanitisation, security

freebase-suggest (via) A jQuery plugin that performs auto-completion against the Freebase JSONP API, and allows the results to be limited to specific categories or subsets.

# 11:58 pm / autocomplete, freebase, freebasesuggest, javascript, jquery, jsonp, metadata