Cross-site request exploits

October 23, 2008, 10:21 am (http://glinden.blogspot.com/)

39

Bill Zeller and Ed Felten have an interesting paper, "Cross-Site Request Forgeries: Exploitation and Prevention" (PDF), that looks at exploiting the implicit authentication in browsers to take actions on the user's behalf using img tags or Javascript.

The most dramatic of the attacks allowed the attacker to take all the money from someone's ING Direct account just by visiting a web page. The attack sent POST requests off to ING Direct using Javascript, so they appear to come from the victim's browser. The POST requests quickly and quietly cause the victim's browser to create a new account by transferring money from their existing account, add the attacker as a valid payee on the new account, then transfer the funds to the attacker's account. Danger, Will Robinson.

Please see also Bill Zeller's blog post describing the attack and the Wikipedia page for cross-site request forgery.

[Paper found via Bruce Schneier]

 

Tags: account, cross-site, attacker, post, request

  launch permalink  share  

Recommended News Content

 John Tepper Marlin: Should Localities Post Their Budgets?  (http://www.huffingtonpost.com/)

Recommended Groups

Gabbr - General Discussion  119 members

Recommended Bookmarks

Composing Your Own Voice Ringtones  0 comments

Legal Advantage - Legal Research  0 comments

Free Advertising with Google Adsense Revenue Sharing  0 comments

High Risk Merchant Account - OffShore Merchant Account - Credit  0 comments

Melbourne Conference Venue | Melbourne Meeting Venue | Melbourne  0 comments

Comments

No comments. Be the first to comment.

 

You must be logged in to post a comment.

Learn More
About Gabbr

Pixelate Project

Learn more about the Pixelate Project

Questions?
Contact Us

Popular News Channels

elections iPhone Iraq sports golf Barack Obama terrorism web SEO Britney Spears Disney

Community

Get acquainted with some of our most recent members.

©2000–2007 One Guy & One Server.