[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries

Sverre H. Huseby shh at thathost.com
Tue May 3 15:36:03 EDT 2005

Some nut (like me) may find this interesting.  I compiled this list
for one of the fine speakers at OWASP Europe 2005 in London a couple
of weeks ago.  He mentioned Session Riding in his entertaining speech,
but wasn't familiar with the history.  If this apparently extremely
clever guy wasn't, then I guess other people aren't either.


The History of Session Riding, as Far as I Know

* May 2000: Jim Fulton writes about it on zope.org
  Name: Client-side Trojan

    * May 2000: Referenced on Linux Weekly News

    * May 2000: Referenced on kuro5hin.org, including demo of having
      people post messages to slashdot.

* June 2001: Peter W describes it on BugTraq
  Name: Cross-Site Request Forgeries
  (I somehow managed not to see this post)

* November 2001: I describe it on webappsec, including "ticket" solution
  Name: Client-side Trojans
  (A modified version of the text appears in my book, there
   named "Web Trojans".)

* December 2004: Thomas Schreiber writes about it on webappsec
  Name: Session Riding


The confusion is complete.  This is, IMHO, a very serious problem that
people keep rediscovering, but that never gets the attention it really
deserves.  I've reviewed web apps for five years now, and have yet to
discover one that isn't vulnerable.


shh at thathost.com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/

The Web Security Mailing List

More information about the websecurity mailing list