[WEB SECURITY] CSRF Exploitability?
tasos.laskos at gmail.com
Wed Apr 27 13:51:02 EDT 2011
On 04/27/2011 06:24 PM, Rohit Pitke wrote:
> I always see some resistance from product teams to implements CSRF
> protection with the argument that
> This attacks requires too many prerequisites. User has to logged-in.
> Has to be enticed to click on some link. Has to click on that link etc
Yep, but it only needs to happen once and as time passes the chances of
happening will steadily go up.
> I know that social engineering is prevalent and enticing is not very
> remote possibility.
> But want to know how do you guys impart importance of CSRF among your
> product teams?
> Are you aware of any exploitation method other than social
> engineering/link enticing?
Worst case scenario is that a high-traffic website has been compromised
(using XSS for example) so as to realize an attack against a CSRF
So if -- let's say -- PayPal is vulnerable to CSRF and Slashdot had been
made to include a piece of JS that requests Paypal to transfer money
from a user's account to the account of evil.attacker at mail.com
then every Paypal user that visits Slashdot will be robbed.
And since Slashdot has a ridiculous amount of traffic and a high
percentage of the visitors will have Paypal accounts the attacker will
be able to retire to the Barbados.
> I am interested in knowing thoughts about this and not about technical
> details of exploitation as I am aware of them.
> Rohit Pitke
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
More information about the websecurity