Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Web Application Security
Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 01:13AM
Thomas Schreiber (ts securenet de) (7 replies)
Hello,

I would like to point you to a whitepaper just released:

SESSION RIDING - A Widespread Vulnerability in Today's Web Applications
http://www.securenet.de/papers/Session_Riding.pdf

----------
Abstract:

In this paper we describe an issue that was raised in 2001 under the name of Cross-Site Request Forgeries (CSRF). It seems, though, that it has been neglected by the community, as it is not part of recent Web Application Security discussions, nor is it mentioned in OWASP's Top Ten or the like. After having frequently observed this vulnerability in our Web Application Security assessments of custom Web applications, we started to examine various public Web applications and other browser-based applications:

? popular (commercial) Web sites
? popular browser-based console applications such as administration tools for databases, servers, etc.
? browser-based administration clients of hardware devices
? webmail sites and open source and commercial webmail solutions

We have found out that this vulnerability is present in many of those sites, services and products, some of which perform sensitive tasks. Actually, the list of affected companies contains well-known big players. Our analysis has led us to the conclusion that this vulnerability is the most widespread one in today's Web applications right after Cross-Site Scripting (XSS). Even worse, in some scenarios it has to be considered much more dangerous than XSS.

We feel that a concise description of this issue is necessary, along with a description of scenarios that highlight the danger to all browser-based applications that do not provide appropriate countermeasures, be it Intranet, Internet or console applications. In this paper, we explain this vulnerability in depth, show that it may be used unnoticed by the victim, describe potential threats, and finally give hints on how to make Web applications safe from such attacks.

We prefer to call this issue Session Riding which more figuratively illustrates what is going on.
----------

Feedback is very welcome - especially regarding our rating/experience as one of the most widespread vulnerabilities today.

Thomas Schreiber
____________________________________________________________
SecureNet GmbH - http://www.securenet.de
+49 89/32133-610
mailto:ts (at) securenet (dot) de [email concealed]

[ reply ]
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 05:17PM
Elihu Smails (elihusmails2000 yahoo com) (5 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:17PM
Florian Weimer (fw deneb enyo de)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 01:37PM
Joseph Miller (joseph tidetamerboatlifts com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 01:37PM
Joseph Miller (joseph tidetamerboatlifts com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 07:20AM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 06:47PM
Elihu Smails (elihusmails2000 yahoo com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 07:20AM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 06:47PM
Elihu Smails (elihusmails2000 yahoo com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:56AM
Sverre H. Huseby (shh thathost com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 03:00PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 05:47PM
Florian Weimer (fw deneb enyo de) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:07AM
Shade (shade wastelands gen nz)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 03:00PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 05:47PM
Florian Weimer (fw deneb enyo de) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:12PM
Eran Tromer (webapp2eran tromer org) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 08:30PM
Eran Tromer (webapp2eran tromer org)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 11:07AM
Shade (shade wastelands gen nz)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 17 2004 08:36AM
Philippe P. (webappsec philippe prados name) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 02:44PM
Joseph Miller (joseph tidetamerboatlifts com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:15PM
Florian Weimer (fw deneb enyo de)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 09:54AM
Shade (shade wastelands gen nz) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:09PM
Florian Weimer (fw deneb enyo de)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:09PM
Florian Weimer (fw deneb enyo de)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 10:40PM
Yvan G.J. Boily (yboily seccuris com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:04PM
Florian Weimer (fw deneb enyo de)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 05:56PM
Mark Burnett (mb xato net) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 10:40PM
Yvan G.J. Boily (yboily seccuris com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 06:04PM
Florian Weimer (fw deneb enyo de)
RE: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 20 2004 05:56PM
Mark Burnett (mb xato net) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 21 2004 04:31PM
Jeff Williams (jeff williams aspectsecurity com) (2 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 22 2004 07:46PM
Augusto Paes de Barros (apbarros gmail com)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 05:08PM
Sverre H. Huseby (shh thathost com) (1 replies)
Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's Web Applications" Dec 16 2004 05:10PM
Sverre H. Huseby (shh thathost com)







 

Privacy Statement
Copyright 2009, SecurityFocus