michael.coates at owasp.org
Tue May 28 22:35:07 UTC 2013
Jim's example is a real concern. It can be abstracted to any situation when
the owner of the system derives value by having the user logged into the
Think of these examples:
- App X that records your location every minute for some benefit : If an
attacker csrf logs you into this app with the attacker's account then the
attacker could track your movement.
- Similar scenario with a remote admin type app that is granted camera
access. Could the attacker turn on the camera via a webpage for their
Login csrf is a different type of risk and doesn't always apply. But there
are some specific situations where it could be a real concern.
Michael Coates | OWASP | @_mwc
On Tue, May 28, 2013 at 3:25 PM, Eoin <eoin.keary at owasp.org> wrote:
> It's a bit bullshitty :)
> And you assume the victim Does not notice they are not logged into their
> account, but rather yours (the attacker).
> Does anyone have any attacks, case studies which result in REAL risk to a
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> On 28 May 2013, at 23:20, Jim Manico <jim.manico at owasp.org> wrote:
> > For sure.
> > For example, if I can CSRF you to log into a Google account that I
> > control, I can then track all of your Google searches.
> > This is edge case, but still viable.
> > - Jim
> >> Does CSRF ing a login page make sense to anyone :)
> >> Eoin Keary
> >> Owasp Global Board
> >> +353 87 977 2988
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders