WebApp Sec mailing list archives

Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications"

From: "Sverre H. Huseby" <shh () thathost com>
Date: Thu, 16 Dec 2004 18:08:52 +0100

[Thomas Schreiber]

|   SESSION RIDING - A Widespread Vulnerability in Today's Web Applications
|   http://www.securenet.de/papers/Session_Riding.pdf

Nice work.

|   In this paper we describe an issue that was raised in 2001 under
|   the name of Cross-Site Request Forgeries (CSRF).

The problem you describe (If I understand correctly) was first (to my
knowledge) described in May 2000 by Jim Fulton in the Zope community.
The fenomenon was baptised "Client Side Trojans" back then.

I totally agree that this problem hasn't got the attention it
deserves, and that an enormous amount of web sites are vulnerable.


Sverre.

Current thread:

Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications", (continued)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Philippe P. (Dec 20)
  - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Shade (Dec 20)
    - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
  - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Joseph Miller (Dec 20)
    - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Yvan G.J. Boily (Dec 20)
  - RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Mark Burnett (Dec 20)
    - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Jeff Williams (Dec 22)
    - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Augusto Paes de Barros (Dec 23)
  - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 20)
  - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 20)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Eran Tromer (Dec 20)
  - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Shade (Dec 22)
  - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Florian Weimer (Dec 23)
    - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Eran Tromer (Dec 23)
    - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Eran Tromer (Dec 23)
- Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 20)
  - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)
    - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Elihu Smails (Dec 22)
    - Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Sverre H. Huseby (Dec 22)

(Thread continues...)