[Owasp-leaders] CSRF

Chris Schmidt chris.schmidt at owasp.org
Wed May 29 04:03:55 UTC 2013


How about as a follow-up to a Spear Phishing attack.

Step 1) Phishing to get the target's credentials
Step 2) CSRF Login to the target's account
Step 3) Š.
Step 4) Profit

This could be used to bypass IP Filtering Controls (an example would be the
admin functionality of apps that IP Filter who can access the application)

This may be a bit edge case, but if done right could be a pretty powerful
attack.

From:  Michael Coates <michael.coates at owasp.org>
Date:  Tuesday, May 28, 2013 4:35 PM
To:  "eoin.keary at owasp.org" <eoin.keary at owasp.org>
Cc:  Leaders <owasp-leaders at lists.owasp.org>
Subject:  Re: [Owasp-leaders] CSRF

Jim's example is a real concern. It can be abstracted to any situation when
the owner of the system derives value by having the user logged into the
account.

Think of these examples:
- App X that records your location every minute for some benefit : If an
attacker csrf logs you into this app with the attacker's account then the
attacker could track your movement.
- Similar scenario with a remote admin type app that is granted camera
access. Could the attacker turn on the camera via a webpage for their
account?

Login csrf is a different type of risk and doesn't always apply. But there
are some specific situations where it could be a real concern.


--
Michael Coates | OWASP | @_mwc



On Tue, May 28, 2013 at 3:25 PM, Eoin <eoin.keary at owasp.org> wrote:
> It's a bit bullshitty :)
> 
> And you assume the victim Does not notice they are not logged into their
> account, but rather yours (the attacker).
> 
> Does anyone have any attacks, case studies which result in REAL risk to a
> business??
> 
> 
> 
> 
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
> 
> 
> On 28 May 2013, at 23:20, Jim Manico <jim.manico at owasp.org> wrote:
> 
>> > For sure.
>> >
>> > For example, if I can CSRF you to log into a Google account that I
>> > control, I can then track all of your Google searches.
>> >
>> > This is edge case, but still viable.
>> >
>> > - Jim
>> >
>>> >> Does CSRF ing a login page make sense to anyone :)
>>> >>
>>> >>
>>> >> Eoin Keary
>>> >> Owasp Global Board
>>> >> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>>> >>
>>> >> _______________________________________________
>>> >> OWASP-Leaders mailing list
>>> >> OWASP-Leaders at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________ OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130528/de976991/attachment-0001.html>


More information about the OWASP-Leaders mailing list