[Owasp-leaders] CSRF

Eoin eoin.keary at owasp.org
Wed May 29 20:41:30 UTC 2013 

That's not CSRF strictly speaking. There is no session or forgery. But rather turning victims into bots.

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 29 May 2013, at 15:52, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:

> Absolutely!
> 
> Sent from my iPhone
> 
> On 29 May 2013, at 15:39, gaz Heyes <gazheyes at gmail.com> wrote:
> 
>> Account DOS would work too since you could send a valid username with an incorrect password from lots of IP addresses which might cause an account lockout.
>> 
>> 
>> On 29 May 2013 15:29, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:
>>> Another scenario is:
>>> 
>>> Distributed client side login/pass bruteforce :-)
>>> 
>>> Once victims connect to attacker controlled server they are dished out hundreds of CSRF vectors such ass
>>> 
>>> <img src=http://server/login?username=&user1pass=pass1>
>>> 
>>> Username password pairs
>>> 
>>> With each subsequent CSRF vector sent  testing for a post authentication function
>>> 
>>> Once word list subset exhausted page updates with next set to try
>>> 
>>> In essence achieving distributed non attributable brute force (and potentially knock on effects of application layer DoS)
>>> 
>>> All theoretically possible I think but have never seen that really done in the wild have any of you? Perhaps something BeEF does in the XSS world?
>>> 
>>> Christian
>>> 
>>> On 29 May 2013, at 14:46, Giorgio Fedon <giorgio.fedon at owasp.org> wrote:
>>> 
>>> > Another scenario is when you need to poison DNS cache. In that case you
>>> > may need many resolution request from a lot of different ips. And maybe
>>> > the function that force the dns resolution is in the authenticated area
>>> >
>>> >
>>> > On 05/29/2013 03:19 PM, gaz Heyes wrote:
>>> >> On 29 May 2013 14:14, Giorgio Fedon <giorgio.fedon at owasp.org
>>> >> <mailto:giorgio.fedon at owasp.org>> wrote:
>>> >>
>>> >>    Incrimination is something that may happen by forcing a user doing
>>> >>    something illegal.
>>> >>
>>> >>
>>> >> That isn't what I meant. You can assign the IP address of the user to
>>> >> a specific account that has already performed or about to perform
>>> >> illegal activity.
>>> >
>>> >
>>> > --
>>> > | Giorgio Fedon, Owasp Italy
>>> > |
>>> > | In Input Validation
>>> > |            and Output Sanitization,
>>> > |                                   We Trust
>>> > --
>>> > | Web: https://www.owasp.org/index.php/Italy
>>> > |_____________________________________________.
>>> >
>>> > _______________________________________________
>>> > OWASP-Leaders mailing list
>>> > OWASP-Leaders at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130529/feb5fd4b/attachment.html>

More information about the OWASP-Leaders mailing list