Comments on: Hotlinks and Persistent CSRF http://michaeldaw.org/papers/hotlink_persistent_csrf Weekly humour Thu, 07 May 2009 20:09:50 +0000 http://wordpress.org/?v= hourly 1 By: Jeremiah Blatz http://michaeldaw.org/papers/hotlink_persistent_csrf/comment-page-1#comment-20597 Jeremiah Blatz Tue, 17 Apr 2007 13:26:19 +0000 http://michaeldaw.org/papers/hotlink_persistent_csrf/#comment-20597 The cool thing is that you can be arbitrarily sneaky with this. Back in the day, I posted a little article about how to swap an image based on request parameters on AntiOnline (shame). Basically, you show one image to users with no referrer or an authorized referrer, and another one to everyone else. If you want to be super-sneaky, you can try to figure out the ip address/range of the linker, and show them the "authorized" pic, too. Since the visitors are none the wiser, they presumably won't be forging their referrer, so you shouldn't need to worry about that. http://antionline.com/showthread.php?t=238136&page=2 The cool thing is that you can be arbitrarily sneaky with this. Back in the day, I posted a little article about how to swap an image based on request parameters on AntiOnline (shame). Basically, you show one image to users with no referrer or an authorized referrer, and another one to everyone else. If you want to be super-sneaky, you can try to figure out the ip address/range of the linker, and show them the “authorized” pic, too.

Since the visitors are none the wiser, they presumably won’t be forging their referrer, so you shouldn’t need to worry about that.

http://antionline.com/showthread.php?t=238136&page=2

]]> By: GNUCITIZEN » Persistent CSRF and The Hotlink Hell http://michaeldaw.org/papers/hotlink_persistent_csrf/comment-page-1#comment-20501 GNUCITIZEN » Persistent CSRF and The Hotlink Hell Mon, 16 Apr 2007 15:05:14 +0000 http://michaeldaw.org/papers/hotlink_persistent_csrf/#comment-20501 [...] Earlier today, I and David K had a play around with these type of issues. I recommend reading his post too. poc: Google Reader Persistent CSRF Proof of Concept » trackback | » digg it | [...] [...] Earlier today, I and David K had a play around with these type of issues. I recommend reading his post too. poc: Google Reader Persistent CSRF Proof of Concept » trackback | » digg it | [...]

]]>