[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries

Sverre H. Huseby shh at thathost.com
Tue May 3 15:36:03 EDT 2005


Some nut (like me) may find this interesting.  I compiled this list
for one of the fine speakers at OWASP Europe 2005 in London a couple
of weeks ago.  He mentioned Session Riding in his entertaining speech,
but wasn't familiar with the history.  If this apparently extremely
clever guy wasn't, then I guess other people aren't either.

---------------------------------------------------------------------------

The History of Session Riding, as Far as I Know
-----------------------------------------------

* May 2000: Jim Fulton writes about it on zope.org
  http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan
  Name: Client-side Trojan

    * May 2000: Referenced on Linux Weekly News
      http://lwn.net/2000/features/Redirect.php3

    * May 2000: Referenced on kuro5hin.org, including demo of having
      people post messages to slashdot.
      http://www.kuro5hin.org/story/2000/5/9/183550/1910

* June 2001: Peter W describes it on BugTraq
  http://www.securityfocus.com/archive/1/191390
  Name: Cross-Site Request Forgeries
  (I somehow managed not to see this post)

* November 2001: I describe it on webappsec, including "ticket" solution
  http://www.securityfocus.com/archive/107/224715
  Name: Client-side Trojans
  (A modified version of the text appears in my book, there
   named "Web Trojans".)

* December 2004: Thomas Schreiber writes about it on webappsec
  http://www.securityfocus.com/archive/107/384630
  Name: Session Riding

---------------------------------------------------------------------------

The confusion is complete.  This is, IMHO, a very serious problem that
people keep rediscovering, but that never gets the attention it really
deserves.  I've reviewed web apps for five years now, and have yet to
discover one that isn't vulnerable.

Sverre.

-- 
shh at thathost.com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list