com. These
forms perform three actions, to which the browser automatically attaches Vic??™s session
cookie. This cookie, while not persistent across browsing sessions, is valid during Vic??™s
browsing session due to his use of his AJAX stock ticker. These requests do the following
things to Vic??™s account, as Vic, in this order:
1. Add the attacker??™s bank account as a possible transfer point to Vic??™s brokerage
account.
2. Transfer $5000 of Vic??™s money into the new checking account.
3. Delete the new checking account.
Upon receiving his monthly statement a couple of weeks later, Vic notices this unauthorized
withdrawal, although he has no idea how or why this happened. He calls Bad-
StockBroker??™s customer service line to report the transaction and is transferred to the
fraud department. Upon hearing Vic??™s story, which lacks any details on how the incident
may have occurred, the fraud department pulls its records of transactions made by Vic??™s
account, finding that the transaction was made from Vic??™s IP address, using a cookie
received by a legitimate login, and interspersed with transactions Vic admits were his.
Not understanding the CSRF flaws on the company??™s web site, the fraud department
contacts law enforcement and the ensuing investigation focuses on Vic as the prime
suspect in defrauding BadStockBroker.
Pages:
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272