WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: blocking CSRF attacks

From: "Sverre H. Huseby" <shh-ml () thathost com>
Date: Sat, 15 Dec 2007 18:48:48 +0100
[Sorry for not replying to the original post, but I lost it.]

I wrote this six years ago:

  http://shh.thathost.com/text/client-side-trojans.txt
The history of CSRF is quite long, and the problem has been given several names (not sure if the links still work, as this is a list I made a couple of years ago): 

* May 2000: Jim Fulton writes about it on zope.org
  http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan
  Name: Client-side Trojan

    * May 2000: Referenced on Linux Weekly News
      http://lwn.net/2000/features/Redirect.php3

    * May 2000: Referenced on kuro5hin.org, including demo of having
      people post messages to slashdot.
      http://www.kuro5hin.org/story/2000/5/9/183550/1910

* June 2001: Peter W describes it on BugTraq
  http://www.securityfocus.com/archive/1/191390
  Name: Cross-Site Request Forgeries

* December 2004: Thomas Schreiber writes about it on webappsec
  http://www.securityfocus.com/archive/107/384630
  Name: Session Riding


Sverre.

-------------------------------------------------------------------------
Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: