[WEB SECURITY] CSRF Exploitability?

Tasos Laskos tasos.laskos at gmail.com
Wed Apr 27 13:51:02 EDT 2011


Hi,

On 04/27/2011 06:24 PM, Rohit Pitke wrote:
> Hello,
>
> I always see some resistance from product teams to implements CSRF 
> protection with the argument that
>
> This attacks requires too many prerequisites. User has to logged-in. 
> Has to be enticed to click on some link. Has to click on that link etc 
> etc.
Yep, but it only needs to happen once and as time passes the chances of 
happening will steadily go up.

>
> I know that social engineering is prevalent and enticing is not very 
> remote possibility.
>
> But want to know how do you guys impart  importance of CSRF among your 
> product teams?
> Are you aware of any exploitation method other than social 
> engineering/link enticing?
>
Worst case scenario is that a high-traffic website has been compromised 
(using XSS for example) so as to realize an attack against a CSRF 
vulnerable site.

So if -- let's say -- PayPal is vulnerable to CSRF and Slashdot had been 
made to include a piece of JS that requests Paypal to transfer money 
from a user's account to the account of evil.attacker at mail.com
then every Paypal user that visits Slashdot will be robbed.

And since Slashdot has a ridiculous amount of traffic and a high 
percentage of the visitors will have Paypal accounts the attacker will 
be able to retire to the Barbados.

Cheers,
Tasos L.

> I am interested in knowing thoughts about this and not about technical 
> details of exploitation as I am aware of them.
>
> Thanks,
> Rohit Pitke
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org





More information about the websecurity mailing list