[Owasp-leaders] CSRF

Christian Papathanasiou christian.papathanasiou at owasp.org
Wed May 29 14:52:31 UTC 2013


Absolutely!

Sent from my iPhone

On 29 May 2013, at 15:39, gaz Heyes <gazheyes at gmail.com> wrote:

> Account DOS would work too since you could send a valid username with an incorrect password from lots of IP addresses which might cause an account lockout.
> 
> 
> On 29 May 2013 15:29, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:
>> Another scenario is:
>> 
>> Distributed client side login/pass bruteforce :-)
>> 
>> Once victims connect to attacker controlled server they are dished out hundreds of CSRF vectors such ass
>> 
>> <img src=http://server/login?username=&user1pass=pass1>
>> 
>> Username password pairs
>> 
>> With each subsequent CSRF vector sent  testing for a post authentication function
>> 
>> Once word list subset exhausted page updates with next set to try
>> 
>> In essence achieving distributed non attributable brute force (and potentially knock on effects of application layer DoS)
>> 
>> All theoretically possible I think but have never seen that really done in the wild have any of you? Perhaps something BeEF does in the XSS world?
>> 
>> Christian
>> 
>> On 29 May 2013, at 14:46, Giorgio Fedon <giorgio.fedon at owasp.org> wrote:
>> 
>> > Another scenario is when you need to poison DNS cache. In that case you
>> > may need many resolution request from a lot of different ips. And maybe
>> > the function that force the dns resolution is in the authenticated area
>> >
>> >
>> > On 05/29/2013 03:19 PM, gaz Heyes wrote:
>> >> On 29 May 2013 14:14, Giorgio Fedon <giorgio.fedon at owasp.org
>> >> <mailto:giorgio.fedon at owasp.org>> wrote:
>> >>
>> >>    Incrimination is something that may happen by forcing a user doing
>> >>    something illegal.
>> >>
>> >>
>> >> That isn't what I meant. You can assign the IP address of the user to
>> >> a specific account that has already performed or about to perform
>> >> illegal activity.
>> >
>> >
>> > --
>> > | Giorgio Fedon, Owasp Italy
>> > |
>> > | In Input Validation
>> > |            and Output Sanitization,
>> > |                                   We Trust
>> > --
>> > | Web: https://www.owasp.org/index.php/Italy
>> > |_____________________________________________.
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130529/41357d3a/attachment-0001.html>


More information about the OWASP-Leaders mailing list