Clan x86

Technical (Development, Security, etc.) => General Security Information => Topic started by: iago on November 21, 2008, 10:31:03 am

Title: Death by 1000 cuts
Post by: iago on November 21, 2008, 10:31:03 am
This is a cool story about how a bunch of minor issues in a Web application can be combined to gain access:

http://ha.ckers.org/deathby1000cuts/
Title: Re: Death by 1000 cuts
Post by: rabbit on November 21, 2008, 11:51:54 am
Good read.  Though it wasn't exactly 1000...
Title: Re: Death by 1000 cuts
Post by: iago on November 21, 2008, 12:51:19 pm
"1000 cuts" is a figure of speech. :P
Title: Re: Death by 1000 cuts
Post by: Hitmen on November 21, 2008, 02:45:54 pm
"1000 cuts" is a figure of speech. :P

Mmm torture. Lingchi (http://en.wikipedia.org/wiki/Slow_slicing), fun stuff.
Title: Re: Death by 1000 cuts
Post by: Camel on November 21, 2008, 03:27:24 pm
I can't believe people actually consider CSRF to be minor! The name alone instills fear in to the hearts of developers around here.
Title: Re: Death by 1000 cuts
Post by: iago on November 21, 2008, 03:53:08 pm
I can't believe people actually consider CSRF to be minor! The name alone instills fear in to the hearts of developers around here.
It strongly depends on the situation.

But I agree, it's often non-minor, just not well understood.
Title: Re: Death by 1000 cuts
Post by: Camel on November 21, 2008, 03:56:39 pm
Incidentally, if you use GWT, your apps will be inherently safe vs CSRF and XSS, so long as you do not go out of your way to work around the security that's built in (publishing login tokens, writing vulnerable pure-javascript, etc)