Linux Today: Linux News On Internet Time.

CGISecurity.com: Announcement: The Cross-site Request Forgery FAQ

Jan 17, 2007, 02:30 (0 Talkback[s])
(Other stories by Robert Auger)

[ Thanks to Nobody for this link. ]

"Site tasks are usually linked to specific urls (Example: http://site/stocks?buy=100&stock=ebay) allowing specific actions to be performed when requested. If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. Typically you'll use Cross Site Scripting to embed an IMG tag or other HTML/JavaScript code to request a specific 'task url' which gets executed without the users knowledge. These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before we initiated by the user after the price plummeted."

Complete Story

Related Stories: