Rafay baloch on Twitter: "@homakov @padraicb @soaj1664ashar Capacha can be used instead of CSRF protection on Sign up form, and it cannot also be bypassed by xss ;)"

Ashar Javed ‏@soaj1664ashar 18 May 2013

Do you think SIGN-UP form has #CSRF protection or not? // cc @ircmaxell @homakov @padraicb @johnwilander
Expand Collapse
Anthony Ferrara ‏@ircmaxell 18 May 2013

@soaj1664ashar @homakov @padraicb @johnwilander I don't think it's *necessary*. I wouldn't knock code that didn't...
Expand Collapse 1 favorite
Pádraic Brady ‏@padraicb 18 May 2013

@ircmaxell @soaj1664ashar CAPTCHAs counteract nuisance signups or timing attacks on username list /cc @homakov @johnwilander
Expand Collapse
Egor Homakov ‏@homakov 18 May 2013

@padraicb @ircmaxell @soaj1664ashar @johnwilander any form must have CSRF prot, no excuses
Expand Collapse 1 favorite
Rafay baloch ‏@rafaybaloch 19 May 2013

@homakov @padraicb @ircmaxell @soaj1664ashar @johnwilander What's the need of CSRF token inside of Sign up form? @homakov
Expand Collapse 1 favorite
Egor Homakov ‏@homakov 19 May 2013

@rafaybaloch @padraicb @ircmaxell @soaj1664ashar @johnwilander it doesn't matter, every changing request must have it by default
Expand Collapse
Rafay baloch ‏@rafaybaloch 19 May 2013

@homakov @padraicb @ircmaxell @soaj1664ashar But it's not necessary, Capacha is enough to protect..
Expand Collapse
Egor Homakov ‏@homakov 19 May 2013

@rafaybaloch @padraicb @ircmaxell @soaj1664ashar captcha mitigates automated registration — unrelated. if signup logs in — session fixation
Expand Collapse 1 favorite
Rafay baloch ‏@rafaybaloch 19 May 2013

@homakov @padraicb @ircmaxell @soaj1664ashar What can you accomplish, when sign up form does not have CSRF token, but has capacha...answers
Expand Collapse 1 favorite
Egor Homakov ‏@homakov 19 May 2013

@rafaybaloch @padraicb @ircmaxell @soaj1664ashar easy. i get solve captcha myself and send the solution along with my own recaptcha_token
Expand Collapse

Pádraic Brady ‏@padraicb 19 May 2013

@rafaybaloch I assume bypass would be to re-display CAPTCHA to target as something innocuous (e.g UI confirm check) @homakov @soaj1664ashar
Expand Collapse
Egor Homakov ‏@homakov 19 May 2013

@padraicb @rafaybaloch @soaj1664ashar challenge and answer are both parameters. Not cookie
Expand Collapse

Country	Code	For customers of
United States	40404	(any)
Canada	21212	(any)
United Kingdom	86444	Vodafone, Orange, 3, O2
Brazil	40404	Nextel, TIM
Haiti	40404	Digicel, Voila
Ireland	51210	Vodafone, O2
India	53000	Bharti Airtel, Videocon, Reliance
Indonesia	89887	AXIS, 3, Telkomsel, Indosat, XL Axiata
Italy	4880804	Wind
Italy	3424486444	Vodafone
» See SMS short codes for other countries

Saved searches

Don’t miss any updates from Rafay baloch

Flag this media

Go to a person's profile

Saved searches

Retweet this to your followers?

Are you sure you want to delete this Tweet?

Block

Add a location to your Tweets

Profile summary

Your lists

Create a new list

Embed this Tweet

Preview

Sign up for Twitter

Not on Twitter? Sign up, tune into the things you care about, and get updates as they happen.

Two-way (sending and receiving) short codes:

Confirmation

Buy Now

Hmm... Something went wrong. Please try again.