Chris Shiflett

Comment on Git on Snow Leopard by Chris Shiflett

Wed, 17 Mar 2010 02:30:41 GMT

Glad it helped, Niall!

Wed, 17 Mar 2010 02:30 GMT — Git on Snow Leopard

Comment on Git on Snow Leopard by Niall Kelly

Mon, 15 Mar 2010 14:42:15 GMT

Having tried other methods without success and looked through plenty of bloated documentation, this just works! Thank you for providing simple code that does what it's supposed to...

Mon, 15 Mar 2010 14:42 GMT — Git on Snow Leopard

Comment on Security Corner: Cross-Site Request Forgeries by RyanTheGreat

Thu, 11 Mar 2010 20:40:04 GMT

Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian E and Ray C.

@Ian E - I'm not sure what you found on that first link called "Cool CSRF using nothing but CSS and iframes" because it no longer exists. However, I would venture to guess that if someone indeed did use css + iframes for CSRF it was either one of two things:

1) An example of the possibilities of CSRF against an unprotected form, not one that was using a nonce. From the title, it sounds like it was intended to be an example of the fact you can use only CSS + iframes to execute a CSRF. I do not believe it was meant to be an example of how to use CSS + iframes to bypass a protected form which uses a nonce.

2) If it was indeed an attack against a protected form, not just a vulnerable form, I would be forced to assume it was a particular version of a browser that was vulnerable, not an attack vector meant for all purposes.

I would be forced to assume this because your assumption: "I am no javascript programmer, but I believe javascript can read a frame's content." is incorrect. JavaScript has almost literally NO access to ANY information about a frame. Try it out for yourself, you can get essentially no information about a even a frames current URL, let alone the actual content within the frame - and with good reason.

Imagine how horribly insecure everyone would be if such attacks were possible? Monitoring entered keystrokes inside a frame with JavaScript to steal login credentials, redirecting users from a frame in which they thought they were on a legitimate site to an attack site and etc. If you could use JavaScript to manipulate/grab information from frames, CSRF would be the very least of our problems.

-Ryan

Thu, 11 Mar 2010 20:40 GMT — Security Corner: Cross-Site Request Forgeries

Comment on Webstock by Chris Shiflett

Fri, 05 Mar 2010 16:55:02 GMT

Thanks for the kind words, Simon.

I'm glad you liked the tutorial. In case it's helpful, here's a link to the slides on SlideShare:

http://slideshare.net/shiflett/evol...of-web-security

Thanks again, and I agree with everything you said about Webstock. People love things that are made with love. :-)

Fri, 05 Mar 2010 16:55 GMT — Webstock

Comment on Webstock by Chris Shiflett

Fri, 05 Mar 2010 16:49:53 GMT

Hi Robin,

I plan to post something about it, but it's going to be hard to express everything in writing.

The short summary is Webstock is the best conference I've ever been to, and I've been to a lot of conferences.

More soon, I hope!

Fri, 05 Mar 2010 16:49 GMT — Webstock