Prev | Current Page 163 | Next

Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos

"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"

Our attacker knows
this from her reconnaissance of the site, so she comes up with an alternative attack that
guarantees that the victims will be authenticated when the request is made.
Many applications that require authentication contain an interstitial login page that is
automatically displayed whenever a user attempts an action he or she is not authenticated
for, or when a user leaves a session long enough to time out. Almost always, these pages
implement a redirector, which gives the user a seamless experience by redirecting the
browser to the requested resource once the user has authenticated. Our attacker, knowing
that users are accustomed to seeing this page, recrafts her e-mail to use the redirector in
her attack:

A message from GoatFriends!

George wants to be your friend, would you like to:
80 Hacking Exposed Web 2.0

Accept?

Deny?

The unsuspecting user, clicking either the Accept or Deny link, is then presented the
legitimate GoatFriend interstitial login page.

Pages:
151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

After the Rain : how the West lost the East (page 64) A History of Indian Philosophy, Volume 1 (page 18) The Adventures of Tom Sawyer, Part 3. (page 25)

Books for you

Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos

"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"

A message from GoatFriends!