[Owasp-ireland] A real bank with a CSRF flaw!

Eoin eoin.keary at owasp.org
Tue Sep 30 05:20:04 EDT 2008


Great Dave,
We covered this at the last meeting. if anyone needs the slides please drop
me a line.
also the code review guide covers CSRF from a code perspective and have a
nice flow chart.

ek



2008/9/30 davidrook <david.rook at realexpayments.com>

> Hi all,
>
> Interesting news story here:
> http://www.theregister.co.uk/2008/09/30/web_bug_bites_sites/ thats
> details how researchers from Princeton University found CSRF flaws in 4
> websites including ING's bank website. The whitepaper that is linked in
> the article is a good read and explains CSRF flaws and preventions very
> well.
>
> Finally the example many people use (transferring funds from an online
> bank using CSRF) to highlight the dangers of CSRF has become a reality.
>
> Thanks,
>
> Dave
>
> --
> David Rook | david.rook at realexpayments.com
> Security Analyst
>
> Realex Payments
> Enabling thousands of businesses to sell online.
>
> Realex Payments, Dublin, www.realexpayments.com
> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
>
> Realex Payments, London, www.realexpayments.co.uk
> 1 Hammersmith Grove, London W6 0NB, England
> Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
>
> Pay and Shop Limited, trading as Realex Payments has its registered office
> at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
> registered in Ireland, company number 324929.
>
> This mail and any documents attached are classified as confidential and
> are intended for use by the addressee(s) only unless otherwise
> indicated. If you are not an intended recipient of this email, you must
> not use, disclose, copy, distribute or retain this message or any part
> of it. If you have received this email in error, please notify us
> immediately and delete all copies of this email from your computer
> system(s).
> --
>
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>



-- 
Eoin Keary CISSP CISA
OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20080930/8fd9efc6/attachment.html 


More information about the Owasp-ireland mailing list