[WEB SECURITY] How are you tackling CSRF?

Arian J. Evans arian.evans at anachronic.com
Fri Apr 22 23:19:26 EDT 2011


Tasos - thank you for explaining how you test for this!

We actually cover this testing paradigm in the article. We find it to be
littered with so many false positives that business owners wind up
ignoring the overall results, as we discuss in the article. There are
other drawbacks as well from what we have observed.

What have you found in terms of response to your results so far?

---
Arian Evans
Sybarite Software Security Scanning Savant


On Fri, Apr 22, 2011 at 1:01 PM, Tasos Laskos <tasos.laskos at gmail.com> wrote:
> Hi,
>
> When it comes to automated identification I[1] look for forms that only
> appear *with* the set cookies and ignore the rest.
> It's a fair bet to assume that those forms will be tightly coupled with the
> current user/session and thus affect business logic in one way or another.
>
> Then I look if they contain any CSRF tokens[2], if they don't then they are
> logged and reported.
>
> This provides a more detailed breakdown:
> http://trainofthought.segfault.gr/wp-content/uploads/2010/10/Automated-detection-of-CSRF-worthy-HTML-forms-through-4-pass-reverse-Diff-analysis.pdf
>
> Cheers,
> Tasos L.
>
> [1] When I say "I" I mean Arachni.
> [2] Unrecognized token formats is a weakness of this approach -- you can't
> anticipate everything.
>
>
> On 04/22/2011 07:30 PM, Jeremiah Grossman wrote:
>>
>> Hi All,
>>
>>        Over the last year I've been noticing increased interest and
>> awareness of Cross-Site Request Forgery (CSRF). A welcome change as for most
>> of the last decade few considered CSRF a vulnerability at all, but an
>> artifact of the way the web was designed. But, the as it normally happens,
>> the bad guys have been showing us how damaging CSRF can really be.
>>
>> To help bring more clarity we've recently published a detailed blog post
>> describing how our testing methodology approaches CSRF. What we're
>> interested is how other pen-testers and developers are tackling the issue
>> because automated detection is currently of limited help.
>>
>> WhiteHat Security’s Approach to Detecting Cross-Site Request Forgery
>> (CSRF)
>>
>> https://blog.whitehatsec.com/whitehat-security%E2%80%99s-approach-to-detecting-cross-site-request-forgery-csrf/
>>
>> FYI: Several weeks ago we launched our new blog, where I'll be diverting
>> all my web security material. We've been piling up new content:
>> https://blog.whitehatsec.com/
>>
>>
>> Regards,
>>
>> Jeremiah Grossman
>> Chief Technology Officer
>> WhiteHat Security, Inc.
>> http://www.whitehatsec.com/
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>




More information about the websecurity mailing list