[OWASP-GUIDE] Phishing section in the guide: no XSS or secure auth?

Andrew van der Stock vanderaj at greebo.net
Mon Sep 12 09:28:04 EDT 2005


Comment inserted into the latest chapter - I will deal with it shortly.

Andrew

On 03/08/2005, at 8:45 PM, Javier Fernandez-Sanguino wrote:

> Just a question that poped to my mind when skimming through the  
> phishing section in the Guide:
>
> - There is no mention on the issues related to phishing scams and  
> XSS attacks. While as a phishing web server can be taken off by  
> authorities it is much harder to do so if a phisher users  
> _your_site_ (through XSS) flaws to organise a phishing scam.  Not  
> only the fix is more comlex ("have to fix the application! now!")  
> but also makes other recommendations about phishing worthless  
> ("make sure you are in a secure site? Check. Web site belongs to  
> the bank? Check. SSL in use? Check....")
>
> - (This might be controversial) There is no mention on replacing  
> the aged user/password login process with secure authentication (be  
> it token or smart cards). Granted, secure authentication does not  
> drive phishing attacks away but it does shift them to be "steal  
> password" to "steal session" (or MITM attacks) and if you are using  
> secure authentication for the "operation" key (not the "access"  
> key) i.e. the one that is not associated with the session, you  
> force phishers to shift tactics. (They will probably shift tactis  
> to trojan systems from remote users, however)
>
> Just a few cents to spark some discussion. Andrew, if you want to,  
> I can write some paragraphs about this for that section.
>
> Regards
>
> Javier

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-guide/attachments/20050912/be292536/attachment.html 


More information about the Owasp-guide mailing list