[WEB SECURITY] How are you tackling CSRF?
rohirp92 at yahoo.com
Sat Apr 23 00:54:01 EDT 2011
As far as our experience goes, if post-login, some forms do not contain
anti-CSRF tokens, it is fair chance that rest of forms will also be the same. I
have seen a notion among developers that we are using POST request and hence we
are safe. So we have recently formulated following strategy
1. Check out important enough pages post-login and check their session state.
2. If session is found to be maintained only in cookies, assume that whole
application is CSRF prone.
3. Take a help of automated scanners, train them a little bit and generate
4. Get it fixed from our developers.
For point(2), questions comes how to check if session is maintained only in
cookies. We can validate this by carefully observing requests through proxy.
Now, lately I have seen some cases where there is anti-CSRF tokens but there is
no validation of them :) . So we generally implement it like
1. All sensitive requests SHOULD be POST with https (in most of the cases).
2. Generate hidden parameter and attach it to the form. This is anti-CSRF
token. We normally take set their value same as session cookies.
3. Once this form is submitted, we check if cookie-value = value of 'that'
4. For GET requests, we normally attack anti-CSRF token in query string or we
make sure that they are not prone to XSS at all.Regards,
From: Jeremiah Grossman <jeremiah at whitehatsec.com>
To: web security <websecurity at webappsec.org>
Sent: Sat, April 23, 2011 12:00:54 AM
Subject: [WEB SECURITY] How are you tackling CSRF?
Over the last year I've been noticing increased interest and awareness of
Cross-Site Request Forgery (CSRF). A welcome change as for most of the last
decade few considered CSRF a vulnerability at all, but an artifact of the way
the web was designed. But, the as it normally happens, the bad guys have been
showing us how damaging CSRF can really be.
To help bring more clarity we've recently published a detailed blog post
describing how our testing methodology approaches CSRF. What we're interested is
how other pen-testers and developers are tackling the issue because automated
detection is currently of limited help.
WhiteHat Security’s Approach to Detecting Cross-Site Request Forgery (CSRF)
FYI: Several weeks ago we launched our new blog, where I'll be diverting all my
web security material. We've been piling up new content:
Chief Technology Officer
WhiteHat Security, Inc.
The Web Security Mailing List
WebSecurity RSS Feed
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity