ソスyソスソスソスpソスKソスCソスhソスz

CWE-352

Compound Element ID:352(Compound Element Variant: Composite)

Status: Draft

ソスNソスソスソスXソスTソスCソスgソスソスソスNソスGソスXソスgソスtソスHソス[ソスWソスFソスソス

ソスソスソス

ソスソスソスソスvソスソス

ソス{ソスニ弱性ソスソスソスソスソスンゑソスソスソス Web ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスヘ、ソスtソスHソス[ソス}ソスbソスgソスノ会ソスソスソスソスソスソスAソステ難ソスソスナ茨ソスム撰ソスソスフゑソスソス驛奇ソスNソスGソスXソスgソスソスソスAソスソスソスMソスソスソスソスソスソスソス[ソスUソスフ意図ソスハゑソスノ渡ソスソスソス黷スソスソスソスフゑソスソスソスソス\ソスソスソスノ鯉ソスソスリゑソスソスネゑソスソスAソスソスソス驍「ソスヘ鯉ソスソスリゑソスソスsソスツ能ソスナゑソスソスB

ソスレ細な会ソスソス

Web ソスTソス[ソスoソスソスソスソスソスNソスGソスXソスgソスソスソスソスソスリゑソスソスソスソスノ受け趣ソスソス謔、ソスン計ソスソスソスソストゑソスソスソス鼾ソスAソスUソスソスソスメゑソスソスNソスソスソスCソスAソスソスソスgソスソスソスxソスソスソスAソスモ図ソスソスソスネゑソスソスソスソスNソスGソスXソスgソスソス Web ソスTソス[ソスoソスノ托ソスソスMソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスソスソスフ場合ソスAWeb ソスTソス[ソスoソスヘゑソスソスフソスソスNソスGソスXソスgソス正規ソスフゑソスソスフとゑソスソスト趣ソス闊オソスソスソスワゑソスソスB
ソスソスソスフ攻ソスソスソスソスURLソスAソス鞫懶ソスフ読み搾ソスソスン、XMLHttpRequest ソスソスソスソスソスしソスト行ソスソスソスAソスfソス[ソス^ソスフ漏ソスソスソスソスソスソスモ図ソスソスソスネゑソスソスRソス[ソスhソスフ趣ソスソスsソスソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

ソスハ厄ソス

ソスZソスbソスVソスソスソスソスソスソスソスCソスfソスBソスソスソスO
ソスNソスソスソスXソスTソスCソスgソスソスソスtソス@ソスソスソスソスソスXソスtソスHソス[ソスWソスFソスソス
XSRF

ソスソスソス_ソスIソスネ補足

CSRFソスフトソス|ソスソスソスWソス[ソスヘ、ソスソスソスソスソスフ経ソスHソスノ渡ソスソスワゑソスソスB

1. ソスUソスソスソスメゑソスソスソスAソスソスソスすソス驛ソス[ソスUソスノ対ゑソスソスト。ソスソスソスソスソスソスソスソスソスソスソスヘ外ソスソスソスフ経ソスHソスノゑソスソスソスソスト搾ソスpソスソスソスワゑソスソスB
2. ソスソスソスすソス驛ソス[ソスUソスソスソスソスAソス]ソスソスソスニなゑソスTソス[ソスoソスノ対ゑソスソスト。ソスソスソスソスソスフ経ソスHソスノゑソスソスソスソスト搾ソスpソスソスソスワゑソスソスB

ソスニ弱性ソスフ費ソスソスソスソスソスソスソス

ソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソスYソスソスソスソスソスソスvソスソスソスbソスgソスtソスHソス[ソスソス

ソスソスソスソス

ソスソスソスソスノ依托ソス

ソスソスソスソス

WebソスTソス[ソスo

ソスソスハ的ソスネ影ソスソス

 

ソスeソスソスソスソスソスけゑソスヘ茨ソス ソスeソスソス
ソス@ソスソスソスソス
ソスソスソスSソスソス
ソスツ用ソスソス		 ソスZソスpソスIソスCソスソスソスpソスNソスgソスFソスソスソスソスソスフ取得ソスソスネりすソスワゑソスソスAソスhソス艫ソスJソスjソスYソスソスソスフ会ソスソスソスAソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスfソス[ソス^ソスフ読み趣ソスソス

ソスdソス蜷ォソスソス CSRF ソスフ脆弱性ソスソスソスソスソスンゑソスソスソス@ソス\ソスフ撰ソスソスソスソスノゑソスソスソスト変ゑソスソスワゑソスソスBソスUソスソスソスメは趣ソスソスソスソスソスAソスソスQソスメと難ソスソスソスソス謔、ソスノ托ソスソスソスソスソスsソスソスソスソスソスニゑソスソスツ能ソスナゑソスソスBソスソスQソスメゑソスソスヌ暦ソスソスメゑソスソス驍「ソスヘ鯉ソスソスソスソスフゑソスソス驛ソス[ソスUソスソスソスソスソスソスソス鼾ソスノは、web ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスフ奇ソスソスSソスネコソスソスソスgソスソスソス[ソスソス(ソスfソス[ソス^ソスフ削除ソスソズ趣ソスAソスソスソスiソスフアソスソスソスCソスソスソスXソスgソス[ソスソスソス竦サソスiソスフ全ソストのソスソス[ソスUソスノ対ゑソスソスソスUソスソスソスフ奇ソスユとゑソスソストの暦ソスソスpソスソス)ソスソス^ソスソスソス驍アソスニになゑソスワゑソスソスBソスUソスソスソスメは費ソスQソスメの趣ソスソスハゑソスソスソスソスソスソストゑソスソス驍スソス゚、CSRF ソスフ及ソスヤ範囲は費ソスQソスメの趣ソスソスツ鯉ソスソスソスソスソスソスノ撰ソスソスソスソスソスソスソスワゑソスソスB

 

ソスUソスソスソスソスソスけゑソスツ能ソスソス

ソスソスソス`ソスソス

ソスソスソスoソスソスi

ソス闢ョソスソスソスソス
ソス{ソスニ弱性ソスヘペソスlソスgソスソスソス[ソスVソスソスソスソスソスeソスXソスgソスAソスソスソスミソスソスfソスソスソスyソスム趣ソスソスソスソスメゑソスソスAソスNソスeソスBソスuソスZソスbソスVソスソスソスソスソスソスマ更ソスAソスLソス^ソスナゑソスソスソスCソスソスソス^ソスソスソスNソスeソスBソスuソスネツソス[ソスソスソスフようソスネ、ソス闢ョソスフ(ソスlソスノゑソスソスjソスソスソスヘゑソスKソスvソスニゑソスソスソスZソスpソスニツソス[ソスソスソスノゑソスソスソスト鯉ソスソスoソスツ能ソスナゑソスソスB

ソスソスフ的ソスノは、ソス闢ョソスノゑソス髟ェソスヘは本ソスニ弱性ソスフ費ソスソスソスソスノ有ソスソスソスナゑソスソスソスAソスrソスWソスlソスXソスソスソスWソスbソスNソス理会ソスソスソスソストゑソスソスソスホフソスHソス[ソスソスソスXソス|ソスWソスeソスBソスuソスソスソスナ擾ソスソスソスソスソスソスワゑソスソスBソスソスソスソスソスソスソスAソスソスソスヤ的ソスネ撰ソスソスソスフ抵ソスソスナコソス[ソスhソスSソストを分析ゑソスソス驍アソスニは不ソスツ能ソスナゑソスソス蛯、ソスBソスuソスソスソスbソスNソス{ソスbソスNソスXソスソスソスヘにゑソスソスソスソスト難ソスソスソスソスAソスJソスEソスソスソスgソスフ擾ソスがなゑソスソス鼾ソスAソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスノゑソスソスソスソストセソスLソスソスソスソスソスeソスBソスソスナゑソスソスdソスvソスネ包ソスソスソスソスヨの配ソスソスソスソスソス\ソスソスソスナはなゑソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

ソスソスソスン的ソスネ厄ソスソスソスソスソス閧オソスAソス闢ョソスソスソスヘに役立ゑソス OWASP CSRFTester ソスフ暦ソスソスpソスソスソスソスソスソスソスソスソスソスワゑソスソスB

ソスLソスソスソスソスソスFソスソス
ソス闢ョソスソスソスヘは奇ソスソスSソスノ趣ソスソスソスソスソスソスソスソス黷スソスソスiソスソスソスソスソスソスソスハ的ソスナゑソスソスBソスニ弱性ソスソスソスン計ソスyソスムビソスWソスlソスXソスソスソス[ソスソスソスノ関係ソスソスソスソス鼾ソスノ難ソスソスノ有ソスソスソスナゑソスソスB

ソスソスソスソスソステ的ソスソスソスソス
ソスソスソスンのとゑソスソスソスACSRF ソスヘ趣ソスソスソスソスソスソスヘゑソスソスgソスpソスソスソストゑソスソスmソスソスソスノ防ソスソスソスソスソスニは搾ソスソスソスナゑソスソスBソスソスソスソスヘ、ソスeソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスソスソスソスソス黷シソスソスAソスOソスソスソスソスソスソスフ影ソスソスソスソスソスけるリソスNソスGソスXソスgソスソスソスソスソスソスtソスソスソスソステ黙のセソスLソスソスソスソスソスeソスBソス|ソスソスソスVソス[ソスソスソスソスソスソスソストゑソスソス驍アソスニ、ソスyソスムソスソス[ソスUソスソスソス成ソスソスソス謔、ソスニゑソスソス驛奇ソスNソスGソスXソスgソスノ対ゑソスソス骰ゑソスソスソスMソスソスソスソスvソスソスソスソスソス驛奇ソスNソスGソスXソスgソスノ対ゑソスソスト、ソスソスソス[ソスUソスフ托ソスソスソスノ趣ソスソスソスソスソスソスsソスソスソストゑソスソス驍アソスニゑソスソスソスソスソスソスナゑソスソスBソス痰ヲソスホ、web ソスTソスCソスgソスフ鯉ソスソスJソスソスソスソスソスノゑソスソスソスLソス[ソスソスソス[ソスhソスソスソスソスソスヘ、ソスソスハ的ソスノソスソス[ソスUソスソスソスソスソスソスソスNソスソスソスNソスソスソスbソスNソスソスソスソスソスソスソスソスソスニゑソスソスノ趣ソスソスソスソスIソスノ趣ソスソスsソスソスソスソス驛奇ソスソスソスNソスソスソスナエソスソスソスRソス[ソスhソスソスソスソス驍アソスニゑソスソスソスソスメゑソスソスソストゑソスソスワゑソスソスB

ソスLソスソスソスソスソスFソスソスソスソスI

ソスニ趣ソスネコソス[ソスhソスソス

ソスソス 1:

 

ソスソスソスソス PHP ソスフコソス[ソスhソスソスヘ、ソスソスソス[ソスUソスフ難ソスソスeソスソスソスKソスリなセソスbソスVソスソスソスソスソスソスソスソスソスソスソストゑソスソス驍アソスニゑソスソスmソスFソスソスソス驍アソスニにゑソスソスAソスtソスHソス[ソスソスソスフ難ソスソスeソスソスソスソスソスソスソスソスソスSソスノゑソスソス謔、ソスニゑソスソスソスソスソスソスフでゑソスソスBソスソスソスソスソスソスソスAソスUソスソスソスメは適ソスリなセソスbソスVソスソスソスソスソスソスソスソスソスナに保趣ソスソスソスソストゑソスソス驛ソス[ソスUソスソス web ソスuソスソスソスEソスUソスソスソスソスフソスソスNソスGソスXソスgソスソスソスUソスソスソスソスソス驍スソス゚、CSRF ソスUソスソスソスヘゑソスソスフ対搾ソスナは防ソスソスソスソスソスニゑソスソスナゑソスソスワゑソスソスソスB ソスネ会ソスソスソス HTML ソスヘソスソス[ソスUソスノプソスソスソスtソスBソス[ソスソスソスフアソスbソスvソスfソス[ソスgソスソスソスsソスせソス驍スソス゚のゑソスソスフでゑソスソスB

Example Language: HTML (Bad Code) 
<form action="/url/profile.php" method="post">
<input type="text" name="firstname"/>
<input type="text" name="lastname"/>
<br/>
<input type="text" name="email"/>
<input type="submit" name="submit" value="Update"/>
</form>

profile.php ソスノは、ソスネ会ソスソスフコソス[ソスhソスソスソスワまゑソストゑソスソスワゑソスソスB

Example Language: PHP (Bad Code) 
// initiate the session in order to validate sessions

session_start();

//if the session is registered to a valid user then allow update

if (! session_is_registered("username")) {

echo "invalid session detected!";

// Redirect user to login page
[...]

exit;
}

// The user session is valid, so process the request
// and update the information

update_profile();

function update_profile {
// read in the data from $POST and send an update
// to the database
SendUpdateToDatabase($_SESSION['username'], $_POST['email']);
[...]
echo "Your profile has been successfully updated.";
}

ソス鼬ゥソスAソスKソスリなセソスbソスVソスソスソスソスソスソスソスmソスFソスソスソストゑソスソス驍スソス゚ゑソスソスフコソス[ソスhソスヘ保護さソスソストゑソスソスソス謔、ソスノ鯉ソスソスソスソスワゑソスソスBソスソスソスソスソスソスソスACSRF ソスUソスソスソスヘ趣ソスソスソスソスIソスノ、image ソス^ソスOソスAソスソスソスソスソスNソスAソスソスソス゚搾ソスソスンゑソス object ソス^ソスO ソスワゑソスソスヘ、ソスwソスiソスCソスソスソス[ソスWソスソスソストび出ソスソスソスソスソスフ托ソスソスフ托ソスソスソスソスソスソスワめてゑソスソスソスAソスソスソスソスソスソス^ソスOソスソス HTML ソス\ソスソスソスソスソスソスソスソスsソスツ能ソスナゑソスソスB

ソスUソスソスソスメは、ソスWソスIソスソス web ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスノソスソスOソスCソスソスソスソスソストゑソスソスソスヤにペソス[ソスWソスソスKソス黷スソスソスソスソスソス驛ソス[ソスUソスフソスソス[ソスUソスソスソス窿ソス[ソスソスソスAソスhソスソスソスXソスソスマ更ソスソスソスソスRソス[ソスhソスソスソスソスソスフばゑソスソス驍アソスニゑソスソスツ能ソスナゑソスソスBソスソスソスフコソス[ソスhソスヘ以会ソスソスフようソスノ厄ソスソスQソスソス web ソスyソス[ソスWソスノ鯉ソスソスソスソスワゑソスソスB

 

ソスソスソスソスソスソスソス黷スソスソスソスソス

 

ソスQソスソス ソスレ搾ソス
CVE-2004-1703 Add user accounts via a URL in an img tag
CVE-2004-1995 Add user accounts via a URL in an img tag
CVE-2004-1967 Arbitrary code execution by specifying the code in a crafted img tag or URL
CVE-2004-1842 Gain administrative privileges via a URL in an img tag
CVE-2005-1947 Delete a victim's information via a URL or an img tag
CVE-2005-2059 Change another users settings via a URL or an img tag
CVE-2005-1674 Perform actions as administrator via a URL or an img tag
CVE-2009-3520 modify password for the administrator
CVE-2009-3022 CMS allows modification of configuration via CSRF attack against the administrator
CVE-2009-3759 web interface allows password changes or stopping a virtual machine via CSRF

 

ソスソスQソスフ緩和ソスソス

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソス略ソスF ソスソスソスCソスuソスソスソスソスソスAソスtソスソスソス[ソスソスソスソスソス[ソスN
ソス{ソスニ弱性ソスフ費ソスソスソスソスソスhソスソスソスAソスソスソス驍「ソスヘ本ソスニ弱性ソスソスソスソスソスソスソスソス竄キソスソスソス\ソスソスソスソス供ゑソスソスソスAソス\ソスソスソスノ鯉ソスソスソスソスソスソス黷スソスソスソスCソスuソスソスソスソスソスソスtソスソスソス[ソスソスソスソスソス[ソスNソスソスソスgソスpソスソスソストゑソスソスソスソスソスソスソスソスB
ソスソスニゑソスソスト、OWASP CSRFGuard ソスネどゑソスCSRFソスホ搾ソスpソスbソスPソス[ソスWソスソスソスソスソスソスソスソスソスワゑソスソスB
ソスソスソスフ暦ソスニゑソスソストは、CSRF ソスノ対ゑソスソスソスRソスソスソス|ソス[ソスlソスソスソスgソスソスソスソスソスソス  ESAPI Session Management control ソスソスソスソスソスソスソスソスソスワゑソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソスソスソスソスソスソス CSRF ソスホ搾ソスヘ攻ソスソスソスメゑソスソスソスフスソスNソスソスソスvソスgソスノゑソスソスソスソスソスソスソスソス驍スソス゚、ソスソスソスソスソスソスソスソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスノクソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスフ厄ソスソス (CWE-79) ソスソスソスソスソスソスソスソスソスニゑソスソスmソスFソスソスソスト会ソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソスソスモの暦ソスソスソスソスソスソスtソスHソス[ソスソスソスソスソスノ撰ソスソスソスソスAソスZソスbソスgソスソスソスAソスtソスHソス[ソスソスソスソスソスけ趣ソス髣撰ソスソスソスソスソスソスソスリゑソスソストゑソスソスソスソスソスソスソスソスB
ソスソスソスフ暦ソスソスソスソスヘ撰ソスソスソスソスソスソスソスネゑソスソスフにゑソスソスト会ソスソスソスソスソス (CWE-330).ソスB
ソスソスソスフ緩和ソスソスヘクソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスiCWE-79ソスjソスノゑソスソスソスソスソスツ能ソスナゑソスソス驍アソスニに抵ソスソスモゑソスソストゑソスソスソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソスソスソスノ危険ソスネ擾ソスソスソスソスソスソスソス閧オソストゑソスソスソスソスソスソスソスソスBソスソスソス[ソスUソスソスソス険ソスネ擾ソスソスソスソスソスソスsソスソスソスソスソス鼾ソスAソスソスソス[ソスUソスソスソスソスソスフ擾ソスソスソスソスソスソスモ図ソスソスソストゑソスソス驍ゥソスソスソスmソスFソスソスソスソスツ別の確ソスFソスソスソスNソスGソスXソスgソス送信ソスソスソストゑソスソスソスソスソスソスソスソスB
ソスソスソスフ緩和ソスソスヘクソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスiCWE-79ソスjソスノゑソスソスソスソスソスツ能ソスナゑソスソス驍アソスニに抵ソスソスモゑソスソストゑソスソスソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

Felten ソスソス Zeller ソスフ提唱ゑソスソスソス "double-submitted cookie" ソスソスソス\ソスbソスhソスソスソスgソスpソスソスソスト会ソスソスソスソスソスソスB
ソスソスソスフ趣ソス@ソスソス Javascript ソスソスKソスvソスソスソス驍スソス゚、Javascript ソスソスソスLソスソスソスナなゑソスソスuソスソスソスEソスUソスノは鯉ソスソスハゑソスソスソスソスソスワゑソスソスソスB
ソスソスソスフ緩和ソスソスヘクソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスiCWE-79ソスjソスノゑソスソスソスソスソスツ能ソスナゑソスソス驍アソスニに抵ソスソスモゑソスソストゑソスソスソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソスソスヤの変更ソスソスソスソスソスソスソスNソスソスソスソスソスSソストのソスソスNソスGソスXソスgソスノゑソスソスソスソスト、GET ソスソスソス\ソスbソスhソスソスソスgソスpソスソスソスネゑソスソスナ会ソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソスモ図ソスソスソスソスソスyソス[ソスWソスソスソス辜奇ソスNソスGソスXソスgソスソスソスソスソスMソスソスソスソストゑソスソス驍ゥソスソスソスmソスFソスソスソス驍スソス゚、HTTP Referer ソスwソスbソス_ソスソスソスmソスFソスソスソスト会ソスソスソスソスソスソスBソスソスソス[ソスUソスソスvソスソスソスLソスVソスソスソスvソスソスソスCソスoソスVソス[ソスソスフ暦ソスソスRソスソス Referer ソスフ托ソスソスMソス無鯉ソスソスノゑソスソストゑソスソスソスツ能ソスソスソスソスソスソスソス驍スソス゚、ソス{ソスソスソスフ機ソス\ソスニゑソスソスト違反ソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB
ソスソスソスフ緩和ソスソスヘクソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスiCWE-79ソスjソスノゑソスソスソスソスソスツ能ソスナゑソスソス驍アソスニに抵ソスソスモゑソスソストゑソスソスソスソスソスソスソスソスBソスUソスソスソスメはクソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスノゑソスソスソスト、ソスソスソス[ソスUソスノなりすソスワゑソスソスソス Referer ソス生撰ソスソスソスソスソスAソスソスソス驍「ソスソス Referer ソスフ具ソスソスツゑソスソス黷スソスyソス[ソスWソスソスソスソスAソスソスソスモのゑソスソス驛奇ソスNソスGソスXソスgソス生撰ソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

ソスヨ係ソスソス

 

NatureTypeIDNameView(s) this relationship pertains to
RequiresWeakness Base346Origin Validation ErrorResearch Concepts1000
RequiresWeakness Base441Unintended Proxy/IntermediaryResearch Concepts1000
RequiresWeakness Base613Unintended Proxy/IntermediaryResearch Concepts1000
RequiresWeakness Class642External Control of Critical State DataResearch Concepts1000
ChildOfWeakness Class345Insufficient Verification of Data AuthenticityDevelopment Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategory716OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategory7512009 Top 25 - Insecure Interaction Between ComponentsWeaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750
ChildOfCategory8012010 Top 25 - Insecure Interaction Between ComponentsWeaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors(primary)800
ChildOfCategory814OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF)Weaknesses in OWASP Top Ten (2010)(primary)809
MemberOfView635Weaknesses Used by NVDWeaknesses Used by NVD (primary)635
PeerOfWeakness Base79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Research Concepts1000

 

ソスヨ係ソスソスソスフ補足

ソスNソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスiXSSソスjソスノゑソスソスACSRF ソスソスソスソスソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB
ソスiソスKソスソスソスソスソスソスソスACSRF ソスフ鯉ソスソスソスソスソス XSS ソスナゑソスソスソスニは鯉ソスソスソスワゑソスソスソスBソスj

ソスvソスソスソスソスソスソスソスソス ソスiCWE ソスフ鯉ソスソスソスソスj

ソスソス閧ェソスソスソスソスソスノなゑソスnソス゚ゑソス 2008 ソスNソスOソスソスワでは、CVE ソスノゑソスソスソスソスト過擾ソスソス告ゑソスソスソストゑソスソスワゑソスソスソスソスソスソスACSRF ソスヘほとゑソスヌゑソス Web ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスノ托ソスソスンゑソスソスソスニ弱性ソスナゑソスソスB

ソスソスソスgソスDソスナの包ソスソスソス

 

ソスgソスDソスソスソスワゑソスソスヘ組ソスDソスナの包ソスソスソス ソスmソス[ソスh ID CWEソスフ包ソスソズとの適ソスソスソスx ソスソスソズ厄ソス
PLOVER Cross-Site Request Forgery (CSRF)
OWASP Top Ten 2007 A5 ソスソスソスソス Cross Site Request Forgery (CSRF)
WASC 9 Cross-site Request Forgery

 

ソスヨ連ソスソスソスソスUソスソスソスpソス^ソス[ソスソス

 

CAPEC-ID ソスUソスソスソスpソス^ソス[ソスソスソスソス (CAPEC Version 1.5)
62 Cross Site Request Forgery (aka Session Riding)
111 JSON Hijacking (aka JavaScript Hijacking)

 

ソスQソスソス

[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 2: Web-Server Related Vulnerabilities (XSS, XSRF, and Response Splitting)." Page 37. McGraw-Hill. 2010.
Peter W. "Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)".
Bugtraq. <http://marc.info/?l=bugtraq&m=99263135911884&w=2>.
OWASP. "Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet". <http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet>.
Edward W. Felten and William Zeller. "Cross-Site Request Forgeries: Exploitation and Prevention". 2008-10-18. <http://freedom-to-tinker.com/sites/default/files/csrf.pdf>.
Robert Auger. "CSRF - The Cross-Site Request Forgery (CSRF/XSRF) FAQ". <http://www.cgisecurity.com/articles/csrf-faq.shtml>.
Cross-site request forgery. Wikipedia. 2008-12-22. <http://en.wikipedia.org/wiki/Cross-site_request_forgery>.
Jason Lam. "Top 25 Series - Rank 4 - Cross Site Request Forgery". SANS Software Security Institute. 2010-03-03. <http://blogs.sans.org/appsecstreetfighter/2010/03/03/top-25-series-%E2%80%93-rank-4-%E2%80%93-cross-site-request-forgery/>.

ソスXソスVソスソスソスソス

[2011ソスN04ソスソス21ソスソス]
  2010ソスN10ソスソス12ソスソスソスソスソス_ソスフデソス[ソス^ソスソスソスソスソスノ更ソスV
[2009ソスN06ソスソス29ソスソス]
  2009ソスN02ソスソス02ソスソスソスソスソス_ソスフ会ソスソスL URL ソスソスソスソスソスノ作成
    http://cwe.mitre.org/data/definitions/352.html

ソスoソス^ソスソス 2011/04/21

ソスナ終ソスXソスVソスソス 2023/04/04

OSZAR »