[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries

Sverre H. Huseby shh at thathost.com
Wed May 4 15:23:34 EDT 2005


[Matt Fisher]

|   Has anyone had the chance to test this on two different browsers ? 
|   
|   I.e. I'm doing my bank work on my first instance of IE, I open
|   another IE to surf.

I think it's easy to check it out: In your second IE (after logging in
to the bank in the first IE), enter the URL of a protected page in the
bank.  If you can see it without being prompted for user credentials,
these attacks will most likely work.

Please report back if you test.


Sverre.

-- 
shh at thathost.com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list