[Owasp-leaders] CSRF

Eoin eoin.keary at owasp.org
Tue May 28 22:39:45 UTC 2013


Nice use case mike.
It is very contextual in terms of risk.
Nice to talk about this stuff as opposed to political malarkey :)


Eoin Keary
Owasp Global Board
+353 87 977 2988


On 28 May 2013, at 23:35, Michael Coates <michael.coates at owasp.org> wrote:

> Jim's example is a real concern. It can be abstracted to any situation when the owner of the system derives value by having the user logged into the account.
> 
> Think of these examples:
> - App X that records your location every minute for some benefit : If an attacker csrf logs you into this app with the attacker's account then the attacker could track your movement.
> - Similar scenario with a remote admin type app that is granted camera access. Could the attacker turn on the camera via a webpage for their account?
> 
> Login csrf is a different type of risk and doesn't always apply. But there are some specific situations where it could be a real concern.
> 
> 
> --
> Michael Coates | OWASP | @_mwc
> 
> 
> 
> On Tue, May 28, 2013 at 3:25 PM, Eoin <eoin.keary at owasp.org> wrote:
>> It's a bit bullshitty :)
>> 
>> And you assume the victim Does not notice they are not logged into their account, but rather yours (the attacker).
>> 
>> Does anyone have any attacks, case studies which result in REAL risk to a business??
>> 
>> 
>> 
>> 
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>> 
>> 
>> On 28 May 2013, at 23:20, Jim Manico <jim.manico at owasp.org> wrote:
>> 
>> > For sure.
>> >
>> > For example, if I can CSRF you to log into a Google account that I
>> > control, I can then track all of your Google searches.
>> >
>> > This is edge case, but still viable.
>> >
>> > - Jim
>> >
>> >> Does CSRF ing a login page make sense to anyone :)
>> >>
>> >>
>> >> Eoin Keary
>> >> Owasp Global Board
>> >> +353 87 977 2988
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130528/6350957a/attachment-0001.html>


More information about the OWASP-Leaders mailing list