[WEB SECURITY] Csrf - parse for tokens and reuse
Jim Manico
jim at manico.net
Sun Apr 25 13:41:09 EDT 2010
> What does the foto help with the token if you don't have the
session-ID?
Think of an enterprise enviornment where someone is signed into your
corporate app via SSO for 8 or more hours a day. Take your photo, rip
out the CSRF token, and email or IM a link to that user. You do not
need the session ID and this does not depend on any other weaknesses.
Keep sensitive data out of GET requests. GET requests - and GET
parameters leak all over the place as we talked about in earlier
posts. (no pun intended)
- Jim
PS: But I guess we don't need to worry about this. We can just write
all kinds of insecure crap - and then we will be saved (haaalayluya)
by automated and scalable black box testing! ;)
On Apr 25, 2010, at 10:01 AM, Achim Hoffmann <ah at securenet.de> wrote:
> What does the foto help with the token if you don't have the session-
> ID?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100425/dbf2e74d/attachment.html>
More information about the websecurity
mailing list