[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries

Sverre H. Huseby shh at thathost.com
Wed May 4 02:42:41 EDT 2005

Hi, Bill!

Thanks for the kind words embedded in your reply!

|   I am having a problem giving this a new name,

I'm not suggesting we find a new name, I'm just pointing out that this
is an issue that people tend to rediscover every now and then.

|   it all looks like cross site scripting and/or Insufficient
|   Authentication to me.

It works on servers which are not vulnerable to HTML Injection, so
it's not XSS in the traditional meaning of the word.  In fact,
scripting need not even be involved.

|   I think we should try to be rather ruthless in giving things new
|   names when they are just combinations or variations of an existing
|   threats.


As I see it, the existing threat is Social Engineering.  You trick
people into doing something they don't see the consequences of.

|   In your examples from the webappsec posting I would infer that a
|   session does not even exist for the voting app so how can I be
|   riding one?

Exactly.  That's why I still call it "Web Trojans" myself. :)

|   I hope you don't take my rant as an attack to what you have put
|   together

Not at all, Bill!

|   I see these types of problems everyday and I think they fit well
|   into the existing classification system [...]

That's what I fail to see.  It's not XSS, it may have something to do
with authentication, and it has something to do with Social

If your time permits, would you please tell me how you would describe
it using the existing classification system?


shh at thathost.com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/

The Web Security Mailing List

More information about the websecurity mailing list