hacker Posted August 23, 2011 Share Posted August 23, 2011 Larry, The subject of security is excruciatingly important to me since I am new at it and would like to get an e-commerce site running that sells physical products and accepts credit cards. On page 45 you cite an example of a CSRF attack which I don't understand. Wouldn't "Bob the hacker" (user=12 in the src url) need to be a registered user on the server running the example site in order to know his user id? Assuming Bob is a registered user, wouldn't this hack be risky for Bob? What am I missing here? Also, in the middle of the page you go on to say that "Bob will never see the results of the request... but hopes that his account gets credited when some authenticated user stumbles upon his code". Seems to me if Bob's account gets credited, he'll definitely see the results of his request. Thank you, Hacker (not to be confused with Bob THE hacker ) Link to comment Share on other sites More sharing options...
Larry Posted August 26, 2011 Share Posted August 26, 2011 Thanks for the questions. Yes, Bob would need to be a registered user AND know his user ID. Unless Bob the hacker is just trying to cause trouble, in which case he may not be trying to improve his account but rather exploit the security hole for that sake alone. Which is something many hackers do: they do it not because they benefit but because they can do it. If Bob is a registered user and it may be "risky", Bob is likely not registered with his real information and even if he was, and he was caught, nothing's going to happen to him anyway. And generally speaking, people who attempt to hack into computers and systems and Web sites aren't too concerned about consequences. Bob would see the end result of the request yes, in the sense of he (again, assuming this was his account) would have some way to see changes in his account, but he wouldn't see the end result of the actual request, because it's Alice's browser that's making the actual server request. In fact, Alice wouldn't see it either in this case, because it's happening as the src attribute of an image. Hope that helps. Let me know if you have any other questions. Link to comment Share on other sites More sharing options...
hacker Posted August 26, 2011 Author Share Posted August 26, 2011 Larry, Thank you for elaborating. In my mind, the server request (i.e., execute add_credits.php with user=12 and credits=100) is contrastive from the actual request which modifies the user's account (i.e., updates the database). Yes, it is clear to me that Alice had no idea what happened at the time of the server request. Thank you for the book! Regards, Hacker Link to comment Share on other sites More sharing options...
Larry Posted August 26, 2011 Share Posted August 26, 2011 You're quite welcome and thank you! Link to comment Share on other sites More sharing options...
Recommended Posts