Cross Site Request Forgery (CSRF)

WHID 2009-38: Time's Poll For Most Influencial Hacked

[View]

Updated:

19 April 2009

Polls are easy target for automation abuse. You can usually participate anonymously and the poll operator has an interest in drawing as many participants as possible, but as demonstrated by previous incidents such loose security enables hackers to distort the results.

This time a hacker succeeded in manipulating Time's poll for most influential people in 2009.

WHID 2009-37: Twitter XSS/CSRF worm series (Updated)

[View]

Updated:

19 April 2009

Twitter is in the spotlights again. Mikeyy Mooney, the 17-year-old creator of StalkDaily.com, a Twitter alternative, admitted to hacking his giant competitor by implementing a series of worms. The first one propagated itself through twitter making every affected user tweet about StalkDaily. Mikeyy certainly got the advertising and page views he was looking for. Even more, Mookey even got a job as a security analyst following the worm series.

Mikeyy's worms are a good example of how CSRF and XSS can be combined to create a strong blended attack,

WHID 2009-4: Twitter Personal Info CSRF

[View]

Updated:

13 January 2009

Gareth Heyes (and others) reported an interesting vulnerability in Twitter last week. While his post included a proof of concept code, it does not qualify as a hack only a vulnerability disclosure and the Web Hacking Incident Database does not list vulnerabilities.

Luckily Giorgio Maone decided to create his own proof of concept, run it himself and provide us with the result, enabling me to label this as a hack

By exploiting a CSRF bug in twitter (or maybe a feature?) site owners can get twitter profiles of their visitors. For Twitter this is a second this year and now the comprise 50% of the web incidents for 2009. Is this going to be the year of Web 2.0 security?

Add new comment

WHID 2008-38: DNSChanger Trojans v4.0

[View]

The DNSchanger Trojan uses different methods to manipulate the DNS lookup of the victim. One of the most malicious techniques is using CSRF to attack the ADSL or cable router and modify its DNS tables.

More Information:

McAfee: DNSChanger Trojans v4.0, Dec 4th 2008

Add new comment

WHID 2008-05: Drive-by Pharming in the Wild

[View]

Add new comment

Latest Stories

WAFs are not perfect, but is any security tool perfect? (Feb 9th 2010)
Forrester estimates the WAF market to be $220M in 2010 (Feb 9th 2010)
ModSecurity exceptions for TYPO3 (Jan 20th 2010)
Presentation about WAFs in the cloud (Jan 15th 2010)
The curse of PCI for WAFs (Jan 11th 2010)
A New Year, a New Acronym (Jan 10th 2010)
A Remote Command Injection Vulnerability Applicure's dotDefender Site Management. (Dec 10th 2009)

Navigation

Subscribe:

Xiom is the place to find information about Web Application Firewalls (WAFs) including reviews, analysis, announcements and research. Tune to the RSS channel to get every bit of information or subscribe to the newsletter to receive only in depth articles.

Xiom also leasd and hosts the Web Hacking Incidents Database, a Web Application Security Consortium project aimed at maintaining a list of web applications related security incidents.

Xiom is a community web site lead by Ofer Shezaf.

Xiom.com

The Web Application Firewalls Information Center

Cross Site Request Forgery (CSRF)

WHID 2009-38: Time's Poll For Most Influencial Hacked

WHID 2009-37: Twitter XSS/CSRF worm series (Updated)

WHID 2009-4: Twitter Personal Info CSRF

WHID 2008-38: DNSChanger Trojans v4.0

WHID 2008-05: Drive-by Pharming in the Wild

WAF Resources

Latest Stories

Navigation