[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries

Jeremiah Grossman jeremiah at whitehatsec.com
Wed May 4 10:48:59 EDT 2005


On Tuesday, May 3, 2005, at 11:42  PM, Sverre H. Huseby wrote:
>
> |   it all looks like cross site scripting and/or Insufficient
> |   Authentication to me.
>
> It works on servers which are not vulnerable to HTML Injection, so
> it's not XSS in the traditional meaning of the word.  In fact,
> scripting need not even be involved.


So I'm clear, can you give describe an example of this?


> |   I see these types of problems everyday and I think they fit well
> |   into the existing classification system [...]
>
> That's what I fail to see.  It's not XSS, it may have something to do
> with authentication, and it has something to do with Social
> Engineering.
>
> If your time permits, would you please tell me how you would describe
> it using the existing classification system?

Actually, we might be able to use your example I requested above. This 
should be an interesting experiment on how to apply the threat 
classification to something esoteric.


Regards,

Jeremiah-


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list