[WEB SECURITY] CSRF Exploitability?
gunblad3 at gmail.com
Fri Apr 29 13:16:59 EDT 2011
In addition to what's been mentioned already by the fine folks before
this email, remember that CSRF can also be exploited within the
intranet itself: there's also the insider problem needs to be
On Thu, Apr 28, 2011 at 5:09 AM, Achim Hoffmann <websec10 at sic-sec.org> wrote:
> Am 27.04.11 19:24, schrieb Rohit Pitke:
>> I always see some resistance from@ product teams to implements CSRF protection
>> with the argument that
>> This attacks requires too many prerequisites. User has to logged-in. Has to be
>> enticed to click on some link. Has to click on that link etc etc.
> There're a couple of myths about exploitability and proper protection of CSRF
> around. Folowing applies if not proper protected:
> * CSRF is possible without XSS
> * CSRF is not limited to GET requests
> * CSRF is not limited to dynamic content
> * CSRF does not (always) require GET or POST parameters
> * CSRF can either be on same site or on another site (no SOP)
> * CSRF does not require any active scripting in the browser
> * CSRF is not limited to cookie-based sessions (Basic/Digest Auth. and
> even Card-Readers can be vulnerable)
> * idempotent actions can be vulnerable
> * CSRF does not require clicking something
> Some of the above need proper implementation of business logic, while some
> require a proper protection mechanism. I.g. both is necessary to inhibit CSRF.
>> I know that social engineering is prevalent and enticing is not very remote
> As CSRF can often be hidden anywhere, it works without social engineering.
>> But want to know how do you guys impart importance of CSRF among your product
>> Are you aware of any exploitation method other than social engineering/link
>> I am interested in knowing thoughts about this and not about technical details
>> of exploitation as I am aware of them.
> Hope this helps to strengthen the threat.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
More information about the websecurity