In our GoatFriends example, suppose our attacker
has a specific group of people that she personally knows and whom she wants to remove
from the site. Her best bet might be to send HTML e-mails with a falsified From: address
containing a link like this:
A message from GoatFriends!
George wants to be your friend, would you like to:
>Accept?>Deny?After the user clicks either link, the user??™s browser sends a request to cancel his or her
account, automatically attaching any current cookies set for that site.
Of course, this attack relies on the assumption that the victim has a valid session
cookie in his browser when he clicks the link in the attacker??™s e-mail. Depending on the
exact configuration of the site, this is a big assumption to make.
Some web applications, such as web mail and customized personal portals, will use
persistent session cookies that are stored in the user??™s browsers between reboots and are
valid for weeks. Like many other social networking applications, however, GoatFriend
uses two cookies for session authentication: a persistent cookie that lasts for months
containing the user??™s ID for basic customization of the user??™s entry page and to prefill the
username box for logins, and a nonpersistent cookie that is deleted each time the browser
is closer, containing the SessionID necessary for dangerous actions.
Pages:
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174