Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Using CSRF For Offline, Real-World Applications.
Date: December 19, 2006 04:44PM

I figured I'd drop by quickly again with another thing I've been dying to write an article for on my own site for the past 2 months (which when I end up writing it I'll be sure to post it here). I'm not going to mention any names, nor how I know of this, but it's very possible (although probably not used often by people like us) that CSRF can be used to take down commercial businesses, industrial factories, and even some home appliances. I'm not going to go into too much detail just yet (as I will elaborate in the article), but there are many corporations I know of that operate around the world with a central headquarters located somewhere else with the capacity to turn off lights, change the temperature, change retail prices, operate machinery, excetra. Some houses also have similar features, which allow appliances to turn on, or off through the use of SmartHouse, X10, or LonWorks. Your thoughts?

Awesome AnDrEw - That's The Sound Of Your Brain Crackin'

Re: Using CSRF For Offline, Real-World Applications.
Posted by: rsnake
Date: December 19, 2006 05:08PM

Interesting. I have played around with X10 a little bit yes. Most of the time it's done through a central client interface that connects over a serial port to the X10 base station (not a web based one) so I'm curious to see how that would work, unless I missed a web based interface to X10 somewhere. But yes, I see where you are going with this, and I'll be interested in the article when you're done.

But as a side note is anyone else interested in/played with home automation? It's always been an interest of mine but the price and complexity has made my interest more of a passing one. Web app sec is cheap so that's where I've gravitated. :)

- RSnake
Gotta love it.

