Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 

Current Page: 1 of 1
Results 1 - 3 of 3
4 years ago
database
Guys, Thanks for the great input. Im not looking for a sound and complete solution, since this is undecidable. But approximation as described in this topic are great. Looking for randomly generated strings is a start, although Im going to get a lot of false positives. The idea of model checking is ever greater, perhaps it is possible to model check if some sensitive actions are reachable
Forum: CSRF and Session Info
4 years ago
database
Reiners, thanks for your reply. I faced indeed the same problem as you describe. I was thinking about annotating code/functions where CSRF is dangerous, however, this still leaves the problem at the programmer who should annotate it. Im afraid there is no real solution, however, if someone has any idea I'm listening!
Forum: CSRF and Session Info
4 years ago
database
Hi guys, Im doing my master thesis at the moment in the field of static analysis. Currently Im trying to come up with ways to detect CSRF or potential CSRF. However, it seems to me that for CSRF it is inheretly impossible to detect it statically. - Taint propagation does not work since there is nothing to taint - Model checking is not possible - pattern matching is implausible since the
Forum: CSRF and Session Info
Current Page: 1 of 1