SecurityRatty: tag: csrf

FBI CSRF and Jail How to Get Someone Raided

2008-03-20 22:09:20 by Bill in Grumpy Security Guy

...CSRF( Cross Site Request Forgery ) Now this is not classic CSRF since CSRF generally implies I am exercising some functionality on the target site. I am using CSRF as a handy term for if you visit a page I control content on I can make you request any other link I want. Now remeber this is not only pages like this blog where I clearly control...

Tags: fbi csrf, csrf, fbi, classic csrf, penetration test, penetration test rarely, control content, control, content

New Cross-Site Request Forgery Attacks

2008-10-06 05:42:04 by schneier in Schneier on Security

...CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don't verify that a request came from an authorized user. Instead they verify only that the...

Tags: attacks, user, cross-site, site, user visits, csrf attacks, sensitive action, action, site completely

Bots + Web Vulnerabilites - An Approaching Storm

2008-05-15 21:55:13 by Bill in Grumpy Security Guy

...CSRF So here is the attack Find a few permanent XSS vulnerabilities in some high traffic sites Find some CRSF vulns in popular blog and forum software Craft your payload Profit So the bot software basically sits back and waits until the computer it is on visits a vulnerable site and then places it payload in the vulnerable spot. It could of...

Tags: vulnerabilities, permanent xss vulnerabilities, xss, sql injection, attack shortly, attack, mass sql injection, web vulnerabilites, browser vulnerabilities

The Twitter Malware Campaign Wants to Bank With You

2008-08-05 07:14:42 by Dancho Danchev in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

...CSRF). More info This week its Twitters turn to host an attack - one that is targeting both Twitter users and the Internet community at large. In this case it's a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for pretty rabbit which has a photo advertising a video with girls posted This profile has obviously...

Tags: twitter, twitter malware campaign, xss, xss vulnerabilities, original twitter account, xss worms, xss worm, twitter users, worm

Gmail security and recent phishing activity

2008-11-25 13:22:00 by Niels Provos in Google Online Security Blog

...CSRF vulnerability . We did have a Gmail CSRF bug reported to us in September 2007 that we fixed and deployed worldwide within 24 hours of private disclosure of the bug details. We know of no affected users. Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft We recognize how many people depend on Gmail,...

Tags: gmail, bug, bug details, gmail bug, gmail csrf vulnerability, enhance gmail security, gmail csrf bug, gmail sign-in credentials, domain theft

Phishing Using FasterFox Prefetching

2008-01-03 16:18:15 by RSnake in ha.ckers.org web application security lab

...CSRF. So yes, this apparently can also be used for phishing in FasterFox. I havent tested Opera yet. But either way, its a very cool example of why pre-fetching can be nasty

Tags: fasterfox, firefox prefetches, trick fasterfox-users, http-auth dialog pops, link, http-auth dialog immediately, firefox, email, people

Links for 2008-01-17 [del.icio.us]

2008-01-18 00:00:00 by Editor in Anton Chuvakin Blog -

...CSRF Demystified | GNUCITIZEN OpenXDAS InfoDev-Security.net Part Three Getting with JG Diagrams and Analysis blog.pmarca.com: The three kinds of platforms you meet on the Internet The key term in the definition of platform is "programmed". If you can program it, then it's a platform. If you can't, then it's not Arbor Networks buys networking...

Tags: pci compliance, arbor networks buys, newsweek, pci, sharon begley, begley, newsweek voices, one-off technology implementation, personal computer world

Data Leakage/Linkage Mystery

2007-11-20 22:29:00 by Security Retentive in Security Retentive

...CSRF or some-such? Any ideas? I'm not sweating it too badly I suppose, but it is slightly disconcerting

Tags: yahoo, yahoo email address, yahoo account, account, email, yahoo-mail, mail, yahoo mailbox, mailbox

An Open Letter to Ken Leonard, CEO, ScanAlert

2008-01-25 13:45:00 by Russ McRee in HolisticInfoSec.org

...CSRF, etc. is, in essence, a misrepresentation. If a consumer commits a transaction on a site that is vulnerable, are they not at risk due to vulnerabilities your service claims to scan for? While we understand that you are in the business of growing revenue by indicating websites as hacker safe, we believe you are also beholden to the...

Tags: hacker safe brand, hacker safe, hacker safe program, site hacker safe, hacker safe credential, site, xss vulnerabilities, vulnerabilities, xss

CIAC Tech Bulletin on XSS a valuable reference

2008-06-10 10:21:00 by Russ McRee in HolisticInfoSec.org

Your name:
Your email:
Describe a problem:
AntiSPAM Validation:

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo