Jeff Atwood wrote a good article explaining the danger of XSRF and XSS
Jeff is also correct that legitimate users may have empty UrlReferrer. Rejecting such users is a mistake.
2) I agree that introducing parameters cuts off the most obvious XSRF attacks.
That's how Gmail was hacked -- the hacker used XSS vulnerability on some obscure Google's web site site in order to exploit XSRF vulnerability in Gmail).
- ▼ 2008 (8)
- ► 2007 (9)
- ► 2006 (42)