[WEB SECURITY] CSRF Exploitability?

Ray gunblad3 at gmail.com
Fri Apr 29 13:16:59 EDT 2011

In addition to what's been mentioned already by the fine folks before
this email, remember that CSRF can also be exploited within the
intranet itself: there's also the insider problem needs to be
considered too.


On Thu, Apr 28, 2011 at 5:09 AM, Achim Hoffmann <websec10 at sic-sec.org> wrote:
> Am 27.04.11 19:24, schrieb Rohit Pitke:
>> Hello,
>> I always see some resistance from@ product teams to implements CSRF protection
>> with the argument that
>> This attacks requires too many prerequisites. User has to logged-in. Has to be
>> enticed to click on some link. Has to click on that link etc etc.
> There're a couple of myths about exploitability and proper protection of CSRF
> around. Folowing applies if not proper protected:
>        * CSRF is possible without XSS
>        * CSRF is not limited to GET requests
>        * CSRF is not limited to dynamic content
>        * CSRF does not (always) require GET or POST parameters
>        * CSRF can either be on same site or on another site (no SOP)
>        * CSRF does not require any active scripting in the browser
>        * CSRF is not limited to cookie-based sessions (Basic/Digest Auth. and
>          even Card-Readers can be vulnerable)
>        * idempotent actions can be vulnerable
>        * CSRF does not require clicking something
> Some of the above need proper implementation of business logic, while some
> require a proper protection mechanism. I.g. both is necessary to inhibit CSRF.
>> I know that social engineering is prevalent and enticing is not very remote
>> possibility.
> As CSRF can often be hidden anywhere, it works without social engineering.
>> But want to know how do you guys impart  importance of CSRF among your product
>> teams?
>> Are you aware of any exploitation method other than social engineering/link
>> enticing?
>> I am interested in knowing thoughts about this and not about technical details
>> of exploitation as I am aware of them.
> Hope this helps to strengthen the threat.
> Achim
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list