ratproxy issues again
- From: Andre Rodrigues <acastanheira2001@xxxxxxxxxxxx>
- Date: Fri, 12 Jun 2009 05:12:22 -0700 (PDT)
Hi folks,
I´m back with a ratproxy issue.
I´ve tested my app and it shows the following HIGH risks:
1- POST query with no XSRF protection - Parameter-accepting POST requests that lack security tokens. Some POST requests change application state, and may be vulnerable to cross-site request forgery attacks.
2- Bad caching header - Pages that set cookies or require authentication, but have HTTP headers that may, in some scenarios, lead to proxy-level document caching.
Depending on runtime settings, this may also include subtle HTTP/1.1 and HTTP/1.0 intent mismatches (such as Cache-Control: private with no Expires header).
I need to explain what are these risks and how to circumvent them to the IT guys.
Any ideas apreciated.
Thanks,
André
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
- Prev by Date: Re: 3Com Wirelles ADSL Router Firewall exploit?
- Next by Date: Windows Fileserver Pemissions
- Previous by thread: TLS Session Resumption
- Next by thread: Windows Fileserver Pemissions
- Index(es):
Loading
