CSRF, Anti-DNS Pinning and NTLM

Mark Goodwin has written a neat discussion of the extra problems that CSRF causes when used alongside DNS pinning attacks and against intranets that use NTLM authentication (AKA Integrated Windows Auth)

The short version is that you might be able to use CSRF and anti-DNS pinning attacks to steal resources from an intranet, including those that need auth NTML authentication.

Getahead predates DWR by quite a while, and Mark has worked with me on a few projects. For the past few years he's been a serious security head, and he's just started blogging.

I'm not going to link to all his posts, so if you are interested in security; subscribe, and I'll get on with the Ajax and Java stuff.

Tags : csrf security

Responses[2]

Posted by Joe Walker on 18 April 2007 10:22:26 BST #

Re: CSRF, Anti-DNS Pinning and NTLM

Comment from Elvis on 01 August 2009 20:10:36 BST #

Like your work and i must subscribe to it as i want always some new stuff about ajax and Java, hope i can see something new, previously i was working on low cost web site hosting services along with some informative web hosting reviews writing but i like the stuff on your pages too and will bring some more friends here to get best information.

Re: CSRF, Anti-DNS Pinning and NTLM

Comment from Lepan on 19 February 2010 16:41:16 GMT #

I was thinking about the problem of Cross Site Request Forgery and current mitigation strategies used in the Industry. In many of the real world applications I have tested so far, I see the use of random tokens appended as part of url. world of warcraft cataclysm

Add a comment Send a TrackBack

2010 March (0) February (1) January (0)	2009 December (0) November (0) October (0) September (0) August (1) July (0) June (0) May (1) April (1) March (0) February (3) January (0)
2008 December (2) November (1) October (0) September (0) August (0) July (2) June (0) May (2) April (1) March (5) February (2) January (1)	2007 December (4) November (3) October (2) September (0) August (3) July (2) June (1) May (2) April (8) March (11) February (4) January (7)
2006 December (4) November (2) October (4) September (3) August (7) July (3) June (3) May (10) April (3) March (4) February (5) January (3)	2005 December (1) November (7) October (8) September (10) August (5) July (7) June (11) May (6) April (2)

Re: CSRF, Anti-DNS Pinning and NTLM Comment from Anonymous on 12 March 2010 04:57:41 GMT #
Title
Body	HTML : b, strong, i, em, blockquote, br, p, pre, a href="", ul, ol, li, sub, sup
Name
E-mail address
Website
Remember me	Yes No
E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

Username
Password
Remember me