Comments on: CSRF Slides http://markjaquith.wordpress.com/2008/04/14/csrf-slides/ WordPress puts food on my table. Fri, 18 Jul 2008 23:39:17 +0000 http://wordpress.org/?v=MU By: Grapho http://markjaquith.wordpress.com/2008/04/14/csrf-slides/#comment-88759 Grapho Thu, 17 Apr 2008 16:08:28 +0000 http://markjaquith.wordpress.com/?p=142#comment-88759 now, now to solve this CSRF prob? now, now to solve this CSRF prob?

]]> By: Mark Jaquith http://markjaquith.wordpress.com/2008/04/14/csrf-slides/#comment-88749 Mark Jaquith Wed, 16 Apr 2008 19:35:16 +0000 http://markjaquith.wordpress.com/?p=142#comment-88749 Mark, sent. Jacob, in theory, yes. But with CSRF there was a concerted effort to "nonce" all the forms. There are many more SQL injection and XSS "points of attack" than there are forms to attack with CSRF, and all it takes is missing one. I'm hoping the prepare stuff will help, but it hasn't yet been fully implemented (getting there for 2.6, though!) We also need to have more eyes on new code, checking them to make sure they're using our security/escaping/sanitization functions. Mark, sent.

Jacob, in theory, yes. But with CSRF there was a concerted effort to “nonce” all the forms. There are many more SQL injection and XSS “points of attack” than there are forms to attack with CSRF, and all it takes is missing one. I’m hoping the prepare stuff will help, but it hasn’t yet been fully implemented (getting there for 2.6, though!) We also need to have more eyes on new code, checking them to make sure they’re using our security/escaping/sanitization functions.

]]> By: Jacob Santos http://markjaquith.wordpress.com/2008/04/14/csrf-slides/#comment-88744 Jacob Santos Wed, 16 Apr 2008 02:18:50 +0000 http://markjaquith.wordpress.com/?p=142#comment-88744 Dude, you pretty much already solve the XSS with KSES or HTML Purifier, and SQL Injection is almost solved with the prepare emulator function. Nothing is 100%, but okay, it would be difficult for most to hack WordPress. Dude, you pretty much already solve the XSS with KSES or HTML Purifier, and SQL Injection is almost solved with the prepare emulator function.

Nothing is 100%, but okay, it would be difficult for most to hack WordPress.

]]> By: Mark Ghosh http://markjaquith.wordpress.com/2008/04/14/csrf-slides/#comment-88740 Mark Ghosh Tue, 15 Apr 2008 14:15:27 +0000 http://markjaquith.wordpress.com/?p=142#comment-88740 Dude, I don't have your email address. Send me a quick message when you get a chance? markghosh at gmail Dude, I don’t have your email address. Send me a quick message when you get a chance? markghosh at gmail

]]> By: Malte Landwehr http://markjaquith.wordpress.com/2008/04/14/csrf-slides/#comment-88736 Malte Landwehr Tue, 15 Apr 2008 07:35:25 +0000 http://markjaquith.wordpress.com/?p=142#comment-88736 Definitely some slides that should be a must read before starting work an a wordpress plugin. Definitely some slides that should be a must read before starting work an a wordpress plugin.

]]>