Posts

Showing posts from October, 2008

Interesting findings on CSRF (cross site request forgery)

Found an interesting use case where the orkut has missed out CSRF rules.

Login to orkut as User1 .
Update the status as <a href="/GLogin.aspx?cmd=logout">its good!</a>Login as User2.Go to User1's profile home and click on the status, you will be successfully logged out. :)
Should orkut does not support anchor tags in its status ??