New Terminology

For my Black Hat talk I had to come up with some made-up terms in order to find sensible enough categories in which my material actually fits. So, I will put them all up here for feedback from the audience.

Cross-context Request Forgery

CCRF (Cross-context Request Forgery) is the generalized form of CSRF (Cross-site Request Forgery). Although, the general notation is that CSRF only applies to site-to-site types of attacks, the reality is very different. CSRF attacks can be applied also to application-to-application attacks and many other forms. I find that the word context is the most generic way of expressing the essence of the attack so this is what I use in the talk as well.

Cross-context Scripting

In a similar fashion to CCRF, Cross-context Scripting (XCS) is the generalized form of Cross-site Scripting (XSS). Many people are very ignorant when it comes to XSS attacks. They believe that they are only present within Websites. Well, in reality they are everywhere. This category will summarize all CCS attacks including vulnerabilities that affect Websites and other Client-side Web-based technologies.

Command Fixation Attacks

There is a growing trend of using features built in into client-side technologies which allow attackers to execute commands on behalf of the user without authorization. I call them Command Fixation Attacks and even in some cases Parameter Fixation Attacks as they are very similar to Session Fixation Attacks well known in the Web security world. This section will describe numerous study cases within this category.

Needless to say, the talk will include a wide range of design bugs some of which you might be already familiar with due to the fact that I’ve already blogged about them on GNUCITIZEN. There will be several new exploits and design conditions which haven’t been discussed in the public yet.

Comments

rvdh responds:

For the sole purpose of dicussing to someone what a certain vulnerability does, such terminology is helpful granted that people still understand that there are basically two underlying principles that define pretty much al appsec problems:

- input vulnerabilities
For example: xss, sqli, code c.q. command injection.

- unauthorized request vulnerabilities
For example: CSRF, session fixation, SOP violatiions.

Since these are my generalizations, I understand the need for better terminology to explain each of them ‘context’ based, but how do you envisage the problem with people trying to understand the type of definition that lies beneath it? I found out that the more you coin new terms, the harder for peopl it is to look beyond them and see it’s context while they disregard some of the other terminology. This happened with most old school security folks who are still under the firewall syndrome, it took some of them to realize that most of the vulnerabilities in a network layer also work in the software layer, but they had different terminology c.q. definitions which made them to reject the idea of appsec dangers while at the basis it’s basically the same.

pdp responds:

you are absolutely right… and yes, not all generalizations fit everybody. so the terms are probably not the most suitable but they help me to define things I constantly see in my work. If I say that I’ve found an injection issue, the first question that emerges is but what kind of injection issue? then you have to be specific. This is where these terms come into place.

From my prospective, Cross-context Scripting is much more accurate term then Cross-site Scripting, not only because the injection issue can occur between applications, not sites, but also because it fits very well to the concepts behind the same origin policies. Perhaps Cross-origin Scripting is better term. I don’t know.

Yousif responds:

That’s not too bad, at least it’s not like Commercial, off-the-shelf (COTS) — That’s so annoying. Expanding unnecessary terminology is annoying.

vahur responds:

Cross-site Request Forgery suites just fine, no need for page/context/frame/…

pdp responds:

vahur, IMHO context scripting is the more generic name which describes all types of CSRF vulnerabilities. however, it is not up to me to make you use any new terminologies.

GNUCITIZEN Products

Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.

Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.

Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.

Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.

Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

Visit the GNUCITIZEN Network for a complete listing of all GNUCITIZEN initiatives, products and partnering organizations.

GNUCITIZEN

Navigation

Cross-context Request Forgery

Cross-context Scripting

Command Fixation Attacks

Comments

Respond

The Others

GNUCITIZEN Products

Recent Posts

Random Posts

From The Cutting-edge Network