eoin.keary at owasp.org
Tue May 28 22:39:45 UTC 2013
Nice use case mike.
It is very contextual in terms of risk.
Nice to talk about this stuff as opposed to political malarkey :)
Owasp Global Board
+353 87 977 2988
On 28 May 2013, at 23:35, Michael Coates <michael.coates at owasp.org> wrote:
> Jim's example is a real concern. It can be abstracted to any situation when the owner of the system derives value by having the user logged into the account.
> Think of these examples:
> - App X that records your location every minute for some benefit : If an attacker csrf logs you into this app with the attacker's account then the attacker could track your movement.
> - Similar scenario with a remote admin type app that is granted camera access. Could the attacker turn on the camera via a webpage for their account?
> Login csrf is a different type of risk and doesn't always apply. But there are some specific situations where it could be a real concern.
> Michael Coates | OWASP | @_mwc
> On Tue, May 28, 2013 at 3:25 PM, Eoin <eoin.keary at owasp.org> wrote:
>> It's a bit bullshitty :)
>> And you assume the victim Does not notice they are not logged into their account, but rather yours (the attacker).
>> Does anyone have any attacks, case studies which result in REAL risk to a business??
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>> On 28 May 2013, at 23:20, Jim Manico <jim.manico at owasp.org> wrote:
>> > For sure.
>> > For example, if I can CSRF you to log into a Google account that I
>> > control, I can then track all of your Google searches.
>> > This is edge case, but still viable.
>> > - Jim
>> >> Does CSRF ing a login page make sense to anyone :)
>> >> Eoin Keary
>> >> Owasp Global Board
>> >> +353 87 977 2988
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders