After an unspecified "werewolf incident" we have become the new maintainer of the hogwarts.edu web app.
Our first day on the job begins with Profe...
For further actions, you may consider blocking this person and/or reporting abuse
It's now 2019 and yet IMO this is the best article on CSRF out there 😁
I have this in my favorites and I check it every now and then.
I have been to hogwarts.edu/. Apparently the maintainer has already been severely hacked since the hackers suceeded in taking control of the domain name and unregistering it. So I'm not sure if I should listen to the maintainer because his own security seems lacking.
as far as my knowledge goes: there was a bug to add custom headers without a pre-flight in flash in 2013/2014.
bugs.chromium.org/p/chromium/issue...
bugs.chromium.org/p/chromium/issue...
it could happen again with any other plugin. Therefore implementing tokens is not only second-line, but should be first-line of defense :)
It looks like the Origin/Referer check would have prevented these though, yeah? (I think these are the Flash hacks that OWASP warned about.)
If you are able to set referer/origin, the check would be useless. The only thing why the check works: you can't set certain headers without a preflight because of CORS restriction.
BUT: you are right. This particular bug does not affect the referer/origin check, because some headers are blacklistet in flash.
Just wanted to display, that it happened before and planing a fail in a security system, because of another software is never a good idea.
So implementing one solution (token), instead of a solution which could break, and one solid one, is more cost effective.
Tokens are implemented in nearly every framework. Using them are most of the time the easier option.
But i like your writing, and that you supply all the information :)
Wow! How vivid this is! An I the only one who attempt to go to
hogwarts.edu? This post is so fun to read!Very nice topic. And I love your pictures...very cool ;)
My old websites have totally been a subject of these attacks o_O
This was great, thanks for writing. Reminds of the Hogwarts IT guy tumblr.
Very well written Richard! Even though I'm not familiar with HP terminology :).
Great story-telling on this technical (and often overlooked) problem! Thanks.
A great post on csrf. 👏👏
Reading it was VERY interesting. Thanks for sharing this article with us, Richard!
Or you could use unguessable URIs (aka capabilities) and the whole process isn't necessary…