[Owasp-leaders] CSRF

Michael Coates michael.coates at owasp.org
Tue May 28 22:35:07 UTC 2013


Jim's example is a real concern. It can be abstracted to any situation when
the owner of the system derives value by having the user logged into the
account.

Think of these examples:
- App X that records your location every minute for some benefit : If an
attacker csrf logs you into this app with the attacker's account then the
attacker could track your movement.
- Similar scenario with a remote admin type app that is granted camera
access. Could the attacker turn on the camera via a webpage for their
account?

Login csrf is a different type of risk and doesn't always apply. But there
are some specific situations where it could be a real concern.


--
Michael Coates | OWASP | @_mwc



On Tue, May 28, 2013 at 3:25 PM, Eoin <eoin.keary at owasp.org> wrote:

> It's a bit bullshitty :)
>
> And you assume the victim Does not notice they are not logged into their
> account, but rather yours (the attacker).
>
> Does anyone have any attacks, case studies which result in REAL risk to a
> business??
>
>
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 28 May 2013, at 23:20, Jim Manico <jim.manico at owasp.org> wrote:
>
> > For sure.
> >
> > For example, if I can CSRF you to log into a Google account that I
> > control, I can then track all of your Google searches.
> >
> > This is edge case, but still viable.
> >
> > - Jim
> >
> >> Does CSRF ing a login page make sense to anyone :)
> >>
> >>
> >> Eoin Keary
> >> Owasp Global Board
> >> +353 87 977 2988
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130528/dc42af82/attachment.html>


More information about the OWASP-Leaders mailing list