Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Security Basics: Re: Cookie Security

Re: Cookie Security

From: Orlin Gueorguiev <orlin_at_baturov.com>
Date: Thu, 8 May 2008 01:54:58 +0200

ξΑ Tuesday 06 May 2008 01:47:46 Marco M. Morana ΞΑΠΙΣΑ:
> Orlin
>
> Maybe I am missing something on this email thread...I would think that if
> the session token is changed after and before the HTTP POST of the new
> transaction will prevent CSRF to happen. The point is to make sure that
> such transaction does not exploit the implicit trust that the application
> has on the user browser once the authentication session is initiated, or
> no?
>
> More info on CSRF is here http://www.owasp.org/index.php/Testing_for_CSRF
> and here is the countermeasure http://www.owasp.org/index.php/CSRF_Guard
Thank you for the link. I read the articles and apparently my idea is pretty
similar to this one:
http://www.owasp.org/index.php/How_CSRFGuard_Works#Bypass_CSRFGuard_With_Stored_XSS

Cheers,
Orlin
Received on May 08 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]