↧
Cross Origin Request Forgery – Attacking HTTPS via HTTP MiTM Injection
Introduction There are several scenarios in which a web application may choose to deliver both HTTP and HTTPS content. It may employ per-page mixed content, it may use HTTP pre-auth and switch to...
View ArticleCross Origin Request Forgery Pt 2 – Exploiting Browser Security
Introduction In my previous post I demonstrated how insecure handling of CSRF tokens by applications that switch between HTTP and HTTPS can put users at risk of request forgery attacks via...
View Article11 Fallacies of Web Application Security
Introduction By far, application security testing is one of the best parts of my job. Working one-on-one with application developers, I find that nearly all want to do the right thing when it comes to...
View Article