[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries
Bill Pennington
bill at whitehatsec.com
Tue May 3 18:43:45 EDT 2005
Hey Sverre nice historical document ;-)
I am having a problem giving this a new name, it all looks like cross
site scripting and/or Insufficient Authentication to me. I think we
should try to be rather ruthless in giving things new names when they
are just combinations or variations of an existing threats. It is a
bit of a problem with web apps in that the result of an attack might
make things new or exciting but the attack vector is one we have
already classified. Maybe the existing names are bad (don't even get me
started on XSS!) but inventing new ones (maybe bad ones are that) seems
an even worse idea. In your examples from the webappsec posting I would
infer that a session does not even exist for the voting app so how can
I be riding one?
Great work as always Sverre, I hope you don't take my rant as an attack
to what you have put together, it is great stuff. I see these types of
problems everyday and I think they fit well into the existing
classification system and there is not a need to create new names for
them. I think we need to understand that by combining attacks and/or
weakness in web apps we can do exponentially more damage but that the
combination does not require a new name.
On May 3, 2005, at 12:36 PM, Sverre H. Huseby wrote:
> Some nut (like me) may find this interesting. I compiled this list
> for one of the fine speakers at OWASP Europe 2005 in London a couple
> of weeks ago. He mentioned Session Riding in his entertaining speech,
> but wasn't familiar with the history. If this apparently extremely
> clever guy wasn't, then I guess other people aren't either.
>
> -----------------------------------------------------------------------
> ----
>
> The History of Session Riding, as Far as I Know
> -----------------------------------------------
>
> * May 2000: Jim Fulton writes about it on zope.org
> http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan
> Name: Client-side Trojan
>
> * May 2000: Referenced on Linux Weekly News
> http://lwn.net/2000/features/Redirect.php3
>
> * May 2000: Referenced on kuro5hin.org, including demo of having
> people post messages to slashdot.
> http://www.kuro5hin.org/story/2000/5/9/183550/1910
>
> * June 2001: Peter W describes it on BugTraq
> http://www.securityfocus.com/archive/1/191390
> Name: Cross-Site Request Forgeries
> (I somehow managed not to see this post)
>
> * November 2001: I describe it on webappsec, including "ticket"
> solution
> http://www.securityfocus.com/archive/107/224715
> Name: Client-side Trojans
> (A modified version of the text appears in my book, there
> named "Web Trojans".)
>
> * December 2004: Thomas Schreiber writes about it on webappsec
> http://www.securityfocus.com/archive/107/384630
> Name: Session Riding
>
> -----------------------------------------------------------------------
> ----
>
> The confusion is complete. This is, IMHO, a very serious problem that
> people keep rediscovering, but that never gets the attention it really
> deserves. I've reviewed web apps for five years now, and have yet to
> discover one that isn't vulnerable.
>
> Sverre.
>
> --
> shh at thathost.com My web security book: Innocent Code
> http://shh.thathost.com/ http://innocentcode.thathost.com/
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
>
---
Bill Pennington, CISSP, CCNA
VP Services
WhiteHat Security Inc.
http://www.whitehatsec.com
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
More information about the websecurity
mailing list