??? The existence of per-user or per-session parameters The most dangerous
types of CSRF vulnerabilities can be used against any user with a valid cookie
on the victim site. The GoatFriends application is a good example of this kind
of ?¬‚ aw: an attacker can use the same exact attack code for every single user,
and no calculation or customization is necessary. These vulnerabilities can be
deployed in a scattershot fashion to thousands of potential victims, through
a mechanism such as a blog posting, spam e-mails or a defaced web site. In
contrast, a CSRF vulnerability with any parameters that are individualized per
user or session will need to be speci?¬? cally targeted against a victim.
??? The dif?¬? culty in guessing per-user or per-session parameters If these
parameters do exists, it is important to judge whether it is practical for an
attacker either to derive these parameters from other information or guess the
correct value. Hidden parameters to a request may include data that looks
dense but is easily guessed, such as the system time at a millisecond resolution,
to less dense data that is more dif?¬? cult to guess, such as a user??™s internal ID
number. Information that looks highly random could be anything but, and
in many situations unguessable information is not actually unpredictable,
but rather unique (the time plus the date is a unique number, but not a
unpredictable number).
Pages:
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170