[Owasp-leaders] CSRF

gaz Heyes gazheyes at gmail.com
Wed May 29 14:39:30 UTC 2013


Account DOS would work too since you could send a valid username with an
incorrect password from lots of IP addresses which might cause an account
lockout.


On 29 May 2013 15:29, Christian Papathanasiou <
christian.papathanasiou at owasp.org> wrote:

> Another scenario is:
>
> Distributed client side login/pass bruteforce :-)
>
> Once victims connect to attacker controlled server they are dished out
> hundreds of CSRF vectors such ass
>
> <img src=http://server/login?username=&user1pass=pass1>
>
> Username password pairs
>
> With each subsequent CSRF vector sent  testing for a post authentication
> function
>
> Once word list subset exhausted page updates with next set to try
>
> In essence achieving distributed non attributable brute force (and
> potentially knock on effects of application layer DoS)
>
> All theoretically possible I think but have never seen that really done in
> the wild have any of you? Perhaps something BeEF does in the XSS world?
>
> Christian
>
> On 29 May 2013, at 14:46, Giorgio Fedon <giorgio.fedon at owasp.org> wrote:
>
> > Another scenario is when you need to poison DNS cache. In that case you
> > may need many resolution request from a lot of different ips. And maybe
> > the function that force the dns resolution is in the authenticated area
> >
> >
> > On 05/29/2013 03:19 PM, gaz Heyes wrote:
> >> On 29 May 2013 14:14, Giorgio Fedon <giorgio.fedon at owasp.org
> >> <mailto:giorgio.fedon at owasp.org>> wrote:
> >>
> >>    Incrimination is something that may happen by forcing a user doing
> >>    something illegal.
> >>
> >>
> >> That isn't what I meant. You can assign the IP address of the user to
> >> a specific account that has already performed or about to perform
> >> illegal activity.
> >
> >
> > --
> > | Giorgio Fedon, Owasp Italy
> > |
> > | In Input Validation
> > |            and Output Sanitization,
> > |                                   We Trust
> > --
> > | Web: https://www.owasp.org/index.php/Italy
> > |_____________________________________________.
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130529/1ab94197/attachment.html>


More information about the OWASP-Leaders mailing list