websecurity December 2007 archive
Main Archive Page > Month Archives  > websecurity archives
websecurity: Re: [WEB SECURITY] Performing Distributed Brute For

Re: [WEB SECURITY] Performing Distributed Brute Forcing of CSRF

From: <bugtraq_at_nospam>
Date: Tue Dec 11 2007 - 18:13:21 GMT
To: haroon@sensepost.com (haroon meer)


> Thanks for the kind words on the talk..
> If you check out the visio at:
> http://www.sensepost.com/blogstatic/2007/08/dxsrt.png you will see that
> its pretty much the same attack..

Ah, I hadn't actually seen the visio slides. Do you have a link to them? I can't traverse upwards and would love to link this.

> In a shameless display of self-pimpage, check out the paper
> http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf
> from page 12.. Figure 23 for example shows the results in a

I actually hadn't read this, but I will now :)

You don't outline explicity brute forcing in this text just to identify if a user is logged in or not (which your talk is referenced) and some of the issues related to doing it.

I'll update the post with a reference to your great read :)

Regards,
- Robert



Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]