[Tutor] How to use custom protocol with requests?
Juan Christian
juan0christian at gmail.com
Sun Oct 12 15:26:12 CEST 2014
On Sun, Oct 12, 2014 at 12:17 AM, Danny Yoo <dyoo at hashcollision.org> wrote:
> Huh. Wow. That actually worked?
>
> :P
>
> ---
>
> Frankly speaking though, this sounds like a horrible XSRF-style attack
> in waiting, if I understand what has just happened.
> (http://en.wikipedia.org/wiki/Cross-site_request_forgery)
>
> Usually, requests to do mutation operations are protected so that, in
> order to make the request, you have to have some knowledge in the
> request that's specific to the user, and not public knowledge. The
> URL you've described is missing this basic information, an "XSRF
> token" as its commonly known (though I would have assumed it would be
> called an "anti-XSRF" token, but oh well.)
>
> I'm not sure how your web browser is handling the 'steam://' URL
> class, but I would very much hope that, in the interface between the
> browser and your Steam client, it's doing something to mitigate what
> looks like an XSRF exploit.
>
Well, the person needs to be logged in the browser (maybe cookies are set
for that), when I trigger that in the browser it automatically opens the
Steam software installed in the computer and add the person. I don't know
if it's a flaw, but it's very useful for what I'm doing. If you go to ANY
profile on Steam (after logged in), let's say '
http://steamcommunity.com/profiles/<ID_HERE>', you can add the person, that
simple.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/tutor/attachments/20141012/d818bae7/attachment-0001.html>
More information about the Tutor
mailing list