[Owasp-topten] wording on A8 Tech Impact

Ryan Dewhurst ryandewhurst at gmail.com
Sun Feb 17 18:23:11 UTC 2013


Out of interest, in what attack scenario would you need/want to log a
user in using CSRF?

Surely if you have the user's login credentials you can initiate the
requests yourself after loggin in yourself?

On Sun, Feb 17, 2013 at 7:11 PM, Neil Smithline
<neil.smithline at owasp.org> wrote:
> I think that A8 Tech Input needs some cleanup. The current text is:
>
> Attackers can cause victims to change any data the victim is allowed to
> change or perform any other function the victim is authorized to use,
> including state changing requests, like logout or even login.
>
>
> I whipped up the revised paragraph below.
>
> Attackers can trick victims into performing any operation the victim is
> authorized to perform. This can include changing account email addresses,
> making purchases, or user login and logout.
>
>
> I'm not wed to that verbiage. With the exception of changing "can cause
> victims" to "can trick victims", my other changes are grammatical. I think
> the "cause" --> "trick" change is an important one.
>
> Neil
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>


More information about the Owasp-topten mailing list