[WEB SECURITY] On Session Riding, Client-side Trojans and Cross-site Request Forgeries

Jeremiah Grossman jeremiah at whitehatsec.com
Wed May 4 17:17:35 EDT 2005

On Wednesday, May 4, 2005, at 12:54  PM, Sverre H. Huseby wrote:

> [Bill Pennington]
> |   Just because it is everywhere does not mean it is not horribly
> |   broken :-)
> True.
> |   Developers do look at these things the "wrong" way all the time.
> Very true.
> |   For sure Insufficient Authorization is a big nasty bucket where a
> |   lot of stuff ends up in. I would not be opposed to breaking it
> |   into a few smaller chunks.
> That would be an interesting, probably long-lasting exercise.  Does
> anyone have the time it takes to dig into it?

The new Threat Classification initiative has not begun, if thats what 
you mean. But given enough interest and points improvement, Im sure we 
might get enough people organized.



The Web Security Mailing List

More information about the websecurity mailing list