[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries
Sverre H. Huseby
shh at thathost.com
Wed May 4 15:23:34 EDT 2005
[Matt Fisher]
| Has anyone had the chance to test this on two different browsers ?
|
| I.e. I'm doing my bank work on my first instance of IE, I open
| another IE to surf.
I think it's easy to check it out: In your second IE (after logging in
to the bank in the first IE), enter the URL of a protected page in the
bank. If you can see it without being prompted for user credentials,
these attacks will most likely work.
Please report back if you test.
Sverre.
--
shh at thathost.com My web security book: Innocent Code
http://shh.thathost.com/ http://innocentcode.thathost.com/
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
More information about the websecurity
mailing list