[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries

Bill Pennington bill at whitehatsec.com
Tue May 3 18:43:45 EDT 2005

Hey Sverre nice historical document ;-)

I am having a problem giving this a new name, it all looks like cross  
site scripting and/or Insufficient Authentication to me. I think we  
should try to be rather ruthless in giving things new names when they  
are just combinations or variations of an existing  threats. It is a  
bit of a problem with web apps in that the result of an attack might  
make things new or exciting but the attack vector is one we have  
already classified. Maybe the existing names are bad (don't even get me  
started on XSS!) but inventing new ones (maybe bad ones are that) seems  
an even worse idea. In your examples from the webappsec posting I would  
infer that a session does not even exist for the voting app so how can  
I be riding one?

Great work as always Sverre, I hope you don't take my rant as an attack  
to what you have put together, it is great stuff. I see these types of  
problems everyday and I think they fit well into the existing  
classification system and there is not a need to create new names for  
them. I think we need to understand that by combining attacks and/or  
weakness in web apps we can do exponentially more damage but that the  
combination does not require a new name.

On May 3, 2005, at 12:36 PM, Sverre H. Huseby wrote:

> Some nut (like me) may find this interesting.  I compiled this list
> for one of the fine speakers at OWASP Europe 2005 in London a couple
> of weeks ago.  He mentioned Session Riding in his entertaining speech,
> but wasn't familiar with the history.  If this apparently extremely
> clever guy wasn't, then I guess other people aren't either.
> ----------------------------------------------------------------------- 
> ----
> The History of Session Riding, as Far as I Know
> -----------------------------------------------
> * May 2000: Jim Fulton writes about it on zope.org
>   http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan
>   Name: Client-side Trojan
>     * May 2000: Referenced on Linux Weekly News
>       http://lwn.net/2000/features/Redirect.php3
>     * May 2000: Referenced on kuro5hin.org, including demo of having
>       people post messages to slashdot.
>       http://www.kuro5hin.org/story/2000/5/9/183550/1910
> * June 2001: Peter W describes it on BugTraq
>   http://www.securityfocus.com/archive/1/191390
>   Name: Cross-Site Request Forgeries
>   (I somehow managed not to see this post)
> * November 2001: I describe it on webappsec, including "ticket"  
> solution
>   http://www.securityfocus.com/archive/107/224715
>   Name: Client-side Trojans
>   (A modified version of the text appears in my book, there
>    named "Web Trojans".)
> * December 2004: Thomas Schreiber writes about it on webappsec
>   http://www.securityfocus.com/archive/107/384630
>   Name: Session Riding
> ----------------------------------------------------------------------- 
> ----
> The confusion is complete.  This is, IMHO, a very serious problem that
> people keep rediscovering, but that never gets the attention it really
> deserves.  I've reviewed web apps for five years now, and have yet to
> discover one that isn't vulnerable.
> Sverre.
> -- 
> shh at thathost.com               My web security book: Innocent Code
> http://shh.thathost.com/       http://innocentcode.thathost.com/
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/

Bill Pennington, CISSP, CCNA
VP Services
WhiteHat Security Inc.

The Web Security Mailing List

More information about the websecurity mailing list