Author Topic: Death by 1000 cuts  (Read 5295 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Death by 1000 cuts
« on: November 21, 2008, 10:31:03 am »
This is a cool story about how a bunch of minor issues in a Web application can be combined to gain access:

http://ha.ckers.org/deathby1000cuts/

Offline rabbit

  • x86
  • Hero Member
  • *****
  • Posts: 8092
  • I speak for the entire clan (except Joe)
    • View Profile
Re: Death by 1000 cuts
« Reply #1 on: November 21, 2008, 11:51:54 am »
Good read.  Though it wasn't exactly 1000...

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Death by 1000 cuts
« Reply #2 on: November 21, 2008, 12:51:19 pm »
"1000 cuts" is a figure of speech. :P

Offline Hitmen

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 1913
    • View Profile
Re: Death by 1000 cuts
« Reply #3 on: November 21, 2008, 02:45:54 pm »
"1000 cuts" is a figure of speech. :P

Mmm torture. Lingchi, fun stuff.
Quote
(22:15:39) Newby: it hurts to swallow

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Death by 1000 cuts
« Reply #4 on: November 21, 2008, 03:27:24 pm »
I can't believe people actually consider CSRF to be minor! The name alone instills fear in to the hearts of developers around here.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Death by 1000 cuts
« Reply #5 on: November 21, 2008, 03:53:08 pm »
I can't believe people actually consider CSRF to be minor! The name alone instills fear in to the hearts of developers around here.
It strongly depends on the situation.

But I agree, it's often non-minor, just not well understood.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Death by 1000 cuts
« Reply #6 on: November 21, 2008, 03:56:39 pm »
Incidentally, if you use GWT, your apps will be inherently safe vs CSRF and XSS, so long as you do not go out of your way to work around the security that's built in (publishing login tokens, writing vulnerable pure-javascript, etc)

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!