lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <6905b1570704160809t60b17fecra607f4cf79cfab14@mail.gmail.com>
Date: Mon, 16 Apr 2007 16:09:56 +0100
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	"WASC Forum" <websecurity@...appsec.org>,
	"webappsec @OWASP" <webappsec@...ts.owasp.org>
Subject: Persistent CSRF and The Hotlink Hell

http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell/
http://michaeldaw.org/papers/hotlink_persistent_csrf/

I would like to bring your attention to a topic that has been rarely
discussed. I am going to talk about hotlinks, redirections and of
course CSRF (Cross-site Request Forgery).

When we talk about CSRF we often assume that there is one kind only.
After all, what else is in there when CSRF is all about making GET or
POST requests on behalf of the victim? The victim needs to visit a
page which launches the CSRF exploit. If the victim happens to have an
established session with the exploited application, the attacker can
perform the desired action like resetting the login credentials, for
example.

However, CSRF can be as persistent as persistent XSS (Cross-site
Scripting) is and you don't need XSS to support it. Persistent CSRF is
not dependent on persistent XSS.

I hope that you find the post useful.

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ