Death by 1000 cuts

iago · November 21, 2008, 10:31:03 AM

This is a cool story about how a bunch of minor issues in a Web application can be combined to gain access:

http://ha.ckers.org/deathby1000cuts/

rabbit · November 21, 2008, 11:51:54 AM

Good read. Though it wasn't exactly 1000...

iago · November 21, 2008, 12:51:19 PM

"1000 cuts" is a figure of speech. :P

Hitmen · November 21, 2008, 02:45:54 PM

Quote from: iago on November 21, 2008, 12:51:19 PM
"1000 cuts" is a figure of speech. :P

Mmm torture. Lingchi, fun stuff.

Camel · November 21, 2008, 03:27:24 PM

I can't believe people actually consider CSRF to be minor! The name alone instills fear in to the hearts of developers around here.

iago · November 21, 2008, 03:53:08 PM

Quote from: Camel on November 21, 2008, 03:27:24 PM
I can't believe people actually consider CSRF to be minor! The name alone instills fear in to the hearts of developers around here.

It strongly depends on the situation.

But I agree, it's often non-minor, just not well understood.

Camel · November 21, 2008, 03:56:39 PM

Incidentally, if you use GWT, your apps will be inherently safe vs CSRF and XSS, so long as you do not go out of your way to work around the security that's built in (publishing login tokens, writing vulnerable pure-javascript, etc)

Clan x86

News:

Death by 1000 cuts

iago

rabbit

iago

Hitmen

Camel

iago

Camel