CSRF, and a bleg

Good post from Jeff Atwood about cross-site request forgery (CSRF) attacks. One thing that comes to mind is that this is an example of the best kind of security exploit – one where the exploit depends on the target system doing the right thing. A Web server is meant to respond to URL requests, and determine its response according to the browser credentials and any arguments passed in with the URL.

A CSRF attack essentially consists of arranging things so that users cause this to happen without being aware of it; for example, placing an object on some other Web site that carries a link to the target URL, or a button that causes an HTTP POST to a target URL as well as whatever it’s meant to do. As a refinement, you could so arrange things that the request was passed through something you control, so you can snarf the credentials and perhaps also the reply.

Rough; but it’s precisely the fact that you can do this sort of thing that lets you do all sorts of Web-application magic. What happens when you call a third-party API (or even just an image hosted somewhere else) from within the browser? That’s right, the user loads your Web page and incidentally loads the third-party service’s URL with their browser credentials.This is how the del.icio.us feed in my sidebar (on TYR 2.0) gets there. Oh noes, no YouTube or embedded GMaps, or a whole lot of other useful stuff.

Oh well, enough of that. Does anyone know of a Firefox extension or similar that lets me submit comments I leave on other people’s blogs to a service like del.icio.us? I specifically don’t want a blogging tool, I just want to keep the comment URL, the URL of the related post if separate (i.e. haloscan style), and the text of the comment, and perhaps some tags.


  1. Duane Griffin

    Perhaps Zotero will meet your needs? I think it is more designed for local storage, but looks like it has plugins for export to del.icio.us, if you specifically wanted that.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: