CSRF, Anti-DNS Pinning and NTLM

Mark Goodwin has written a neat discussion of the extra problems that CSRF causes when used alongside DNS pinning attacks and against intranets that use NTLM authentication (AKA Integrated Windows Auth)

The short version is that you might be able to use CSRF and anti-DNS pinning attacks to steal resources from an intranet, including those that need auth NTML authentication.

Getahead predates DWR by quite a while, and Mark has worked with me on a few projects. For the past few years he's been a serious security head, and he's just started blogging.

I'm not going to link to all his posts, so if you are interested in security; subscribe, and I'll get on with the Ajax and Java stuff.

Posted by Joe Walker 18 Apr 2007

Comments

Comments have been turned off on old posts

Projects

GCLI is a web developers command-line that's being used in Firefox Developer Tools, and alongside Ace

DOM Template is an experimental DOM template engine with some nice features like asynchronous layout

CSS Doctor is an experiment into how we can improve the CSS telemetry in a browser

DWR is a Java library that enables Java on the server and JavaScript in a browser to interact and call each other as simply as possible