Tuesday, October 28, 2008

How to test CSRF vulnarabilities

  1. Look for areas in your application that will perform an action on the user's behalf, using their security context, in response to an HTTP GET request.
  2. Create a URL address for the malicious action to be performed. For example: http://malicious.com/[action]
  3. Create an email that contains HTML that references that URL address. For example, the img tag could be used
  4. Log into a valid testing account as the "victim".
  5. After successfully authentication has occurred, click on the malicious testing link in the email that was previously created.
  6. Observe the results. If the web server executed the request contained within the malicious email, a CSRF vulnerability was found!

This test makes use of the fact that the resources were available via the HTTP GET request. POST requests can also be vulnerable to CSRF, but these requests must be done using a scripting language that will auto-submit a form that includes the malicious tags.

One of the common mistakes that users make is that the CSRF attack will take advantage of the fact that many users forget to logout of web applications when they are finished using them. Doing this doesn't give the web applications a chance to clear their session IDs or other types of session information from the cookie, allowing the CSRF attack to be successful even when the user is not actively browsing vulnerable websites.

Please refer this link for more details http://www.owasp.org/index.php/CSRF

Posted by at No comments:

Cross Site Request Forgery attack CSRF

Cross-Site Request Forgery (CSRF ) is an attack that tricks the victim's browser into performing an undesired action on the victim's behalf. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item. For most websites browsers will automatically include any credentials associated with the site when they perform these types of actions. If the victim is currently authenticated to use a website, there is no way for the browser to distinguish between a valid action chosen by the user or a malicious action initiated by an attacker due to the exploitation of a CSRF vulnerability.
Posted by at No comments:

Monday, October 20, 2008

VSTS 2010 new tools

Microsoft will provide a new tool for addressing the "NoRepro" bugs. Please read more about this in Som's blog.



Enjoy
Posted by at No comments:

Thursday, September 4, 2008

State Of Art New Generation Browser From Google


Google has launched a brand new state of art next generation browser called "Google chrome". This puppy is expected to conquer the heart of a lion portion of existing net users.
Beta version is available for the public.You can down load the beta version using this Link GooglChromeBeta .
Enjoy,
Praveen
Posted by at No comments:

Wednesday, September 3, 2008

Internet Explorer 8 New Genration Browser from Microsoft




Hi All,

Microsoft has launched the latest version of InternetExplorer ,IE 8 . This one will be " Faster,Easier and Safer than ever......" says Microsoft...

The key features include WebSlices,Accelerators,Search Suggestions,Smart Screen Filter,Compatibility View and In Private browsing.

Beta version of IE8 is available for the public. You can down load it using this link ClickHereFor IE8 Beta





Enjoy,
Praveen
Posted by at No comments:
Labels: , ,

Wednesday, July 23, 2008

Microsoft Tester Center Website



Microsoft announced a new web site focused on software testing, Tester Center. This is a great resource not only for those who are focusing in software testing, but also for developers. Developers that know how to test is valuable, just like testers who know how to code.



Enjoy
Posted by at No comments:
Labels: , ,

Tuesday, July 15, 2008

WPF Dispatcher

Basic idea : - A mechanism is needed to respond to user and system input . In win32 this one is called a message loop.The meessage loop runs in the back ground of a win 32 application and routes messages to the application from windows.

In WPF : - Here the message loop and queues are created and and managed by the dispatcher.A dispatcher is an instance of the Dispatcher class. The dispatcher runs the tasks one by one and is based on the priority level of each tasks. This Dispatcher is a true message dispatcher.
Posted by at No comments:
Labels: ,

Monday, July 14, 2008

How to change the visual studio enviroment.?


How to toggle between different environments in Visual studio......? For example suppose you are in Tester environment but you wanted to use the Developer environment for a couple of hours and return to the Tester environment and so forth.

Here comes the importants of following command. devenv/resetuserdata Steps : Type the above command in Visual studio command prompt and press Enter key ,Once you open the visual studio for the next time it will prompt you to select the environment (The environment setting for the first time use). You can depend on the same command to come back to the previous environment ar any other environments available and so forth.................

Note: Please have a look at the snap shot ,which explains how to open the visual studio command prompt if you are new to visual studio or you got stuck with how to open the visual studio command prompt.

Hope this helps

Chillax
Praveen
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)