[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries

Sverre H. Huseby shh at thathost.com
Wed May 4 15:23:34 EDT 2005

[Matt Fisher]

|   Has anyone had the chance to test this on two different browsers ? 
|   I.e. I'm doing my bank work on my first instance of IE, I open
|   another IE to surf.

I think it's easy to check it out: In your second IE (after logging in
to the bank in the first IE), enter the URL of a protected page in the
bank.  If you can see it without being prompted for user credentials,
these attacks will most likely work.

Please report back if you test.


shh at thathost.com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/

The Web Security Mailing List

More information about the websecurity mailing list