[www-mobile-code would probably be a more appropriate list for this] It seems to me that what you talk about is "Client Side Trojans", which were discussed in the Zope forum in May last year. http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan This is a far reaching security problem. The links you talk about may just as well be sent in mail, or they may be viewed from a different web site. Mails and different web sites may include JavaScript that posts prefilled forms on behalf of the user, so using POST rather than GET will not fully solve the problem. As long as the user is already authenticated to the site in questions. Some sites offering "always logged in", and intranets using eg. NTLM authentication are particularly vulnerable to this kind of attack. A possible solution (for web developers) seems to be to make sure the user has been given an offer to do something before letting him do it: Give each user a unique "ticket", and for each "action" on a web page, bind this ticket to it. Examples on URL an form follow: http://vote.com/vote.cgi?answer=1&ticket=9871398747 <input type="hidden" name="ticket" value="9871398747"> When the request comes in, check if the incoming ticket matches the one stored in this user's session. If it does, this particular user was given the offer by our server, and not by anyone else. To spoof this system, someone would have to guess or otherwise find out what ticket value the victim was given by the server. To make it harder to find the ticket value given to a user, you could give the user many tickets, one for each possible action. This solution would require a "ticket pool" in the user's session. I've implemented the latter solution in both PHP and Java. Let me know if you would like some code. (It's not at all hard to implement, of course.) Sverre. -- <URL:mailto:shhat_private> <URL:http://shh.thathost.com/>
This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 10:38:00 PDT