[WEB SECURITY] A reminder that CSRF attacks affect more than websites

MustLive mustlive at websecurity.com.ua
Sat May 29 16:39:45 EDT 2010

Hello Robert!

It's nice example on non-websites using of CSRF attacks (in this case for
attacking FTP). Which in result can lead to attack on the site, such as
making such ftp-commands which will allow to attack the site, which
ftp-account was attacked (like setting necessary permissions, deleting some
files, etc.).

There are many other types of web related vulnerabilities, besides CSRF,
which exist not only at web sites and in webapps, but also in other software
and hardware devices. Such as XSS, or even spamming. Remember Cross-site
printing - found in the end of 2007 by Aaron Weaver. Which can be used for
printer spamming from the web.

The XSS can be in different types of software and hardware devices: as at
web sites and in webapps, as in local applications, such as browsers and
other local software. There are special classes of XSS for such types of
vulnerabilities like Cross Context Scripting (Cross-zone scripting) and
Local XSS, which I recently wrote about to the list. And soon I'll write to
the list about another interesting type of XSS (which I already wrote about
at my site) - Cross-Language Scripting.

Taking into account a lot of hardware devices with built-in web servers and
administration interfaces, then it's clear that there are a lot of places
for XSS and CSRF besides Web ;-). And with every day more such hardware
devices appear.

Best wishes & regards,
Administrator of Websecurity web site

* From: robert at xxxxxxxxxxxxx
* Subject: [WEB SECURITY] A reminder that CSRF attacks affect more than
* Date: Wed, 26 May 2010 14:42:27 -0400 (EDT)

> A reminder that CSRF attacks affect more than websites
> http://www.cgisecurity.com/2010/05/a-reminder-that-csrf-affects-more-than-websites.html
> Regards,
> - Robert A.
> http://www.webappsec.org/

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list