[WEB SECURITY] what is this attack called?

Leandro Meiners lmeiners at cybsec.com
Mon Dec 19 08:27:24 EST 2005 

I think what you are refering to is Cross Site Request Forgeries, see
http://cert.uni-stuttgart.de/archive/bugtraq/2001/06/msg00216.html
Another source of information on the subject is
http://www.securenet.de/papers/Session_Riding.pdf where they "rename"
CSRF to Session Riding....

Regards,

Leandro Meiners

----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners at cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index

On Sun, 2005-12-18 at 22:32 -0500, Brian Eaton wrote:

> I've seen some web sites that defend themselves from this type of
> attack, but more that don't.  I've been looking for more information
> about this kind of issue, but I haven't been able to find much.  I
> think part of the problem is that I don't know what others have called
> this type of attack:
> 
> 1) Victim logs on to targeted web site.
> 
> 2) Attacker tricks victim into visiting malicious web page
> 
> 3) Malicious web page redirects victim to a URL on the targeted web site.
> 
> 4) Targeted web site receives request from victim, and performs some
> action on the victim's behalf.
> 
> For a more concrete example, let's say the targeted web site will
> perform a money transfer when a user submits a form to the page
> /transfer with form arguments of "toaccount" and "amount".  In that
> case, the attacker would host a web page like this:
> 
> <body onload="document.forms.hahaha.submit()">
> <form method="POST" name="hahaha" action="https://targeted-web-site/transfer">
>      <input type="hidden" name="toaccount" value="attackers-account-number">
>      <input type="hidden" name="amount" value="100">
> </form>
> 
> So the attack starts a little bit like XSS, but the usual methods of
> defending against XSS just aren't relevant.  To prevent the attack,
> the web site needs to prevent the attacker from guessing what URL or
> form submission will trigger an action.
> 
> Anybody have links to further information on this kind of attack?
> 
> - Brian
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20051219/829aac61/attachment.html>

More information about the websecurity mailing list