Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Digg.com Begging to be CSRF'd
Posted by: hesum
Date: March 30, 2007 11:27AM

Digg is allowing people to add friends just by clicking a link while logged in. Have they no idea that this is a problem?

I first read about this here (this page actually has the CRSF in it as POC, so make sure you are logged out of digg if you don't want a random person on your friends list):
http://www.thegooglecache.com/rants-and-raves/new-digg-feature-friend-spamming-proof-of-concept/

Official blog entry from Kevin Rose
http://blog.digg.com/?p=70

Options: ReplyQuote
Re: Digg.com Begging to be CSRF'd
Posted by: Ghozt
Date: March 30, 2007 01:45PM

You can also XSS that parameter, you need their username in the URL though.

Options: ReplyQuote


Sorry, only registered users may post in this forum.