Death by 1000 cuts

Started by iago, November 21, 2008, 10:31:03 AM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

Print
Go Down Pages1
User actions

iago

November 21, 2008, 10:31:03 AM
This is a cool story about how a bunch of minor issues in a Web application can be combined to gain access:

http://ha.ckers.org/deathby1000cuts/

rabbit

#1
November 21, 2008, 11:51:54 AM
Good read.  Though it wasn't exactly 1000...

iago

#2
November 21, 2008, 12:51:19 PM
"1000 cuts" is a figure of speech. :P

Hitmen

#3
November 21, 2008, 02:45:54 PM
Quote from: iago on November 21, 2008, 12:51:19 PM
"1000 cuts" is a figure of speech. :P

Mmm torture. Lingchi, fun stuff.
Quote
(22:15:39) Newby: it hurts to swallow

Camel

#4
November 21, 2008, 03:27:24 PM
I can't believe people actually consider CSRF to be minor! The name alone instills fear in to the hearts of developers around here.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

iago

#5
November 21, 2008, 03:53:08 PM
Quote from: Camel on November 21, 2008, 03:27:24 PM
I can't believe people actually consider CSRF to be minor! The name alone instills fear in to the hearts of developers around here.
It strongly depends on the situation.

But I agree, it's often non-minor, just not well understood.

Camel

#6
November 21, 2008, 03:56:39 PM
Incidentally, if you use GWT, your apps will be inherently safe vs CSRF and XSS, so long as you do not go out of your way to work around the security that's built in (publishing login tokens, writing vulnerable pure-javascript, etc)

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!
Print
Go Up Pages1
User actions