Hosting generously provided by
|
|
02/25/2007 Cross-site Request Forgery and Blackhat SEO
|
I research whitehat and blackhat SEO in my spare time (however not on this domain :), and
was thinking about some additional uses for from the blackhat SEO perspective.
* Publishing/Spamming links: People spamming forums with links is nothing new. By utilizing on the otherhand
you could force a website user base (either by embedding it into your site html directly, or by utilizing
an )
to submit forms with your url without their knowledge using the img javascript trick (as described about
in the .
* Redirectors: Search engines and sites displaying a sites rank (blogs, top sites community, top referers/incoming site links, etc...)
count the number of times a specific url is clicked or visited. As described above if you can
get the user to visit the site via CSRF, then you can potentially influence these counters
using unique hostnames/sessions (if logged in already). I suspect this will start becoming
a real issue within the next year. One of the issues with CSRF is that the referer is typically
sent to the target site. These can be easily hidden by utilizing an open relay issue
on a totally non related site. This will make that site show up in the referers instead
of the site containing the CSRF payload.
CSRF is where Cross site scripting was 5 years ago and new and more interesting uses are going to
keep being discovered. This vuln is in it for the long haul.
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
Information contained on this website may not be copied without explicit permission.
Best Viewed with Netscape.
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
