DISQUS

ericmoritz · 4 months ago

I just briefly looked at the code but this looks to me to be like a way to collect session keys in referers by way of something like a URL shortener. This doesn't seem to be anything innovative to me, anyone with access to an Apache log could get a session key if the target site puts it in the URL.
ShawnM · 4 months ago

Eric, there's a lot more to the tool than that, but yes, one of the methods we mentioned is collecting CSRF tokens and other relevant session data from referer. What we do with the tool is then use that to construct CSRF on the fly, something you can't just do from an Apache log itself.

The larger point is that typical mitigations for CSRF, as implemented don't take either cross-domain referer leakage or other implementation problems with CSRF tokens into account. There's more detail in the slides and paper, Nathan has both up on http://www.hexsec.com
Name · 3 months ago

Sounds interesting but I couldn't take the interviewer constantly "mmm hum"-ing in the background.
Like he was so anxious just to ask the next Q on his list...