[WEB SECURITY] CSRF Exploitability?

Achim Hoffmann websec10 at sic-sec.org
Wed Apr 27 17:09:05 EDT 2011


Am 27.04.11 19:24, schrieb Rohit Pitke:
> Hello,
> 
> I always see some resistance from product teams to implements CSRF protection 
> with the argument that
> This attacks requires too many prerequisites. User has to logged-in. Has to be 
> enticed to click on some link. Has to click on that link etc etc.

There're a couple of myths about exploitability and proper protection of CSRF
around. Folowing applies if not proper protected:

	* CSRF is possible without XSS
	* CSRF is not limited to GET requests
	* CSRF is not limited to dynamic content
	* CSRF does not (always) require GET or POST parameters
	* CSRF can either be on same site or on another site (no SOP)
	* CSRF does not require any active scripting in the browser
	* CSRF is not limited to cookie-based sessions (Basic/Digest Auth. and
	  even Card-Readers can be vulnerable)
	* idempotent actions can be vulnerable
	* CSRF does not require clicking something

Some of the above need proper implementation of business logic, while some
require a proper protection mechanism. I.g. both is necessary to inhibit CSRF.

> I know that social engineering is prevalent and enticing is not very remote 
> possibility.

As CSRF can often be hidden anywhere, it works without social engineering.

> But want to know how do you guys impart  importance of CSRF among your product 
> teams?
> Are you aware of any exploitation method other than social engineering/link 
> enticing?
> 
> I am interested in knowing thoughts about this and not about technical details 
> of exploitation as I am aware of them.

Hope this helps to strengthen the threat.
Achim




More information about the websecurity mailing list