One user accessing another user's stuff is not the attack I am describing. The attack I am describing is a purely destructive *someone making a user do stuff* attack. Get a user to do something that they didn't really intend to do. In order to do this, one only need to get the user to click on a link that has a guessed action in it. For example, if there's a "delete account" action on a weblocks page where the action id is guessable, *someone* can post a link somewhere that makes people delete their accounts. If the action id is unguessable, or the session id is part of the url, then this attack is not possible. A third option is to add a framework for confirmation of "important" actions. On 8/1/07, cl-weblocks <cl-weblocks-devel@common-lisp.net> wrote:

#45: Don't use gensym for actions to avoid XSS attacks

------------------------+--------------------------------------------------- Reporter: anonymous | Owner: sakhmechet Type: defect | Status: new Priority: low | Milestone: 0.2 Component: weblocks | Version: pre-0.1 Resolution: | Keywords: security

------------------------+--------------------------------------------------- Changes (by sakhmechet):

* milestone: => 0.2 * priority: critical => low * version: => pre-0.1

Comment:

I don't think this is an issue. Weblocks stores actions per session specifically so that a user cannot access another user's actions (unless the session has been highjacked). If a malicious site generates a lot of 'transfer' actions the user still won't be able to access them.

It's probably better to use a scheme that makes action URLs harder to guess anyway, but this isn't critical. Moving to 0.2.

-- Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45> cl-weblocks <http://common-lisp.net/project/cl-weblocks> cl-weblocks