[14902] in bugtraq
Re: "ClientSideTrojan" bug
daemon@ATHENA.MIT.EDU (Clover Andrew)
Mon May 15 15:45:55 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <5F78AA062F6AD311A59000508B4AAF6D092B22@pcs02>
Date: Mon, 15 May 2000 10:25:51 +0200
Reply-To: Clover Andrew <aclover@1VALUE.COM>
From: Clover Andrew <aclover@1VALUE.COM>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
David L. Nicol <david@KASEY.UMKC.EDU> suggested:
> partial possible solutions to this problem are:
> 1: issue a one-time password in reponse to any request that
> will effect a change of any sort, and require return of the
> one-time password
Many web sites in effect already do something like this. A
transaction ID is issued in a hidden control with any non-
idempotent (POST-style) form. To succeed, the submitted
form must ionclude a valid transaction ID. On submission,
the transaction ID is deleted in the database. This is
done to avoid multiple submissions of the same form, but
could also prevent malicious usage.
The trick is to tie the transaction ID to the authenticated
user, so that one cannot gain a transaction ID as one user and
direct another user to use it. By tying the request data to
the authentication data, a malicious third party cannot
exploit the latter to perform the former.
--
Andrew Clover
Technical Support
1VALUE.com AG
