WebApp Sec mailing list archives
Re: Top Ten Web App Sec Problems
From: Marc Slemko <marcs () znep com>
Date: Mon, 2 Dec 2002 17:07:19 -0800 (PST)
On Mon, 2 Dec 2002, Kevin Spett wrote:
There have been a number of publicized Hotmail problems that were being exploited. This was back when you could send scripted content in an email message and it would get executed. You would open your mail, it'd pop up a window saying "Oh, I'm sorry you'll have to log in again" or something.
Hotmail is a great example because it combines two key elements: 1. poorly implemented, widely deployed (compared to others) single signon system 2. easy attack vector (email to a hotmail account... easy to do both mass and targeted attacks, you are kidding yourself if you think there are no more holes in hotmail's HTML filters) This makes all sorts of combinations of circumstance ripe for exploitation. For example, if someone logs into their MSN messenger account, follows the link to view their hotmail inbox, then reads your message you can steal any credit cards in their passport wallet (or MSN wallet, which is what they are replacing passport wallet with... little difference in this regard). Obviously this is just one particular scenario (and a tired old one at that), and requires the combination of a couple of cross site scripting holes plus a few key design problems in passport, but the possibilities are nearly limitless and the number of possible interactions between sites using the SSO system grows exponentially as the number of sites using the SSO increases. Yup, this is an almost identical scenario to the one I publicized last year. The more things change the more they stay the same.
Current thread:
- Re: Top Ten Web App Sec Problems, (continued)
- Re: Top Ten Web App Sec Problems Matt Curtin (Nov 30)
- Re: Top Ten Web App Sec Problems bt (Nov 30)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Andrew Jaquith (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 03)