[Owasp-leaders] CSRF

Christian Papathanasiou christian.papathanasiou at owasp.org
Wed May 29 14:36:44 UTC 2013


* iPhone typo

> <img src=http://server/login?username=user1&pass=pass1>


Sent from my iPhone

On 29 May 2013, at 15:29, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:

> Another scenario is: 
> 
> Distributed client side login/pass bruteforce :-)
> 
> Once victims connect to attacker controlled server they are dished out hundreds of CSRF vectors such ass
> 
> <img src=http://server/login?username=&user1pass=pass1>
> 
> Username password pairs
> 
> With each subsequent CSRF vector sent  testing for a post authentication function 
> 
> Once word list subset exhausted page updates with next set to try
> 
> In essence achieving distributed non attributable brute force (and potentially knock on effects of application layer DoS)
> 
> All theoretically possible I think but have never seen that really done in the wild have any of you? Perhaps something BeEF does in the XSS world?
> 
> Christian
> 
> On 29 May 2013, at 14:46, Giorgio Fedon <giorgio.fedon at owasp.org> wrote:
> 
>> Another scenario is when you need to poison DNS cache. In that case you
>> may need many resolution request from a lot of different ips. And maybe
>> the function that force the dns resolution is in the authenticated area
>> 
>> 
>> On 05/29/2013 03:19 PM, gaz Heyes wrote:
>>> On 29 May 2013 14:14, Giorgio Fedon <giorgio.fedon at owasp.org
>>> <mailto:giorgio.fedon at owasp.org>> wrote:
>>> 
>>>   Incrimination is something that may happen by forcing a user doing
>>>   something illegal.
>>> 
>>> 
>>> That isn't what I meant. You can assign the IP address of the user to
>>> a specific account that has already performed or about to perform
>>> illegal activity.
>> 
>> 
>> -- 
>> | Giorgio Fedon, Owasp Italy
>> |
>> | In Input Validation 
>> |            and Output Sanitization, 
>> |                                   We Trust
>> --
>> | Web: https://www.owasp.org/index.php/Italy
>> |_____________________________________________.
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130529/8a11941b/attachment.html>


More information about the OWASP-Leaders mailing list