[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries

Jeremiah Grossman jeremiah at whitehatsec.com
Wed May 4 10:48:59 EDT 2005

On Tuesday, May 3, 2005, at 11:42  PM, Sverre H. Huseby wrote:
> |   it all looks like cross site scripting and/or Insufficient
> |   Authentication to me.
> It works on servers which are not vulnerable to HTML Injection, so
> it's not XSS in the traditional meaning of the word.  In fact,
> scripting need not even be involved.

So I'm clear, can you give describe an example of this?

> |   I see these types of problems everyday and I think they fit well
> |   into the existing classification system [...]
> That's what I fail to see.  It's not XSS, it may have something to do
> with authentication, and it has something to do with Social
> Engineering.
> If your time permits, would you please tell me how you would describe
> it using the existing classification system?

Actually, we might be able to use your example I requested above. This 
should be an interesting experiment on how to apply the threat 
classification to something esoteric.



The Web Security Mailing List

More information about the websecurity mailing list