[WEB SECURITY] CSRF Exploitability?
websec10 at sic-sec.org
Wed Apr 27 17:09:05 EDT 2011
Am 27.04.11 19:24, schrieb Rohit Pitke:
> I always see some resistance from product teams to implements CSRF protection
> with the argument that
> This attacks requires too many prerequisites. User has to logged-in. Has to be
> enticed to click on some link. Has to click on that link etc etc.
There're a couple of myths about exploitability and proper protection of CSRF
around. Folowing applies if not proper protected:
* CSRF is possible without XSS
* CSRF is not limited to GET requests
* CSRF is not limited to dynamic content
* CSRF does not (always) require GET or POST parameters
* CSRF can either be on same site or on another site (no SOP)
* CSRF does not require any active scripting in the browser
* CSRF is not limited to cookie-based sessions (Basic/Digest Auth. and
even Card-Readers can be vulnerable)
* idempotent actions can be vulnerable
* CSRF does not require clicking something
Some of the above need proper implementation of business logic, while some
require a proper protection mechanism. I.g. both is necessary to inhibit CSRF.
> I know that social engineering is prevalent and enticing is not very remote
As CSRF can often be hidden anywhere, it works without social engineering.
> But want to know how do you guys impart importance of CSRF among your product
> Are you aware of any exploitation method other than social engineering/link
> I am interested in knowing thoughts about this and not about technical details
> of exploitation as I am aware of them.
Hope this helps to strengthen the threat.
More information about the websecurity