Paid Advertising is
ha.ckers sla.cking
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In Begging to be CSRF'd
Posted by: hesum
Date: March 30, 2007 11:27AM

Digg is allowing people to add friends just by clicking a link while logged in. Have they no idea that this is a problem?

I first read about this here (this page actually has the CRSF in it as POC, so make sure you are logged out of digg if you don't want a random person on your friends list):

Official blog entry from Kevin Rose

Options: ReplyQuote
Re: Begging to be CSRF'd
Posted by: Ghozt
Date: March 30, 2007 01:45PM

You can also XSS that parameter, you need their username in the URL though.

Options: ReplyQuote

Sorry, only registered users may post in this forum.