[WEB SECURITY] CSRF Exploitability?

Ray gunblad3 at gmail.com
Fri Apr 29 13:16:59 EDT 2011


In addition to what's been mentioned already by the fine folks before
this email, remember that CSRF can also be exploited within the
intranet itself: there's also the insider problem needs to be
considered too.

Ray.

On Thu, Apr 28, 2011 at 5:09 AM, Achim Hoffmann <websec10 at sic-sec.org> wrote:
> Am 27.04.11 19:24, schrieb Rohit Pitke:
>> Hello,
>>
>> I always see some resistance from@ product teams to implements CSRF protection
>> with the argument that
>> This attacks requires too many prerequisites. User has to logged-in. Has to be
>> enticed to click on some link. Has to click on that link etc etc.
>
> There're a couple of myths about exploitability and proper protection of CSRF
> around. Folowing applies if not proper protected:
>
>        * CSRF is possible without XSS
>        * CSRF is not limited to GET requests
>        * CSRF is not limited to dynamic content
>        * CSRF does not (always) require GET or POST parameters
>        * CSRF can either be on same site or on another site (no SOP)
>        * CSRF does not require any active scripting in the browser
>        * CSRF is not limited to cookie-based sessions (Basic/Digest Auth. and
>          even Card-Readers can be vulnerable)
>        * idempotent actions can be vulnerable
>        * CSRF does not require clicking something
>
> Some of the above need proper implementation of business logic, while some
> require a proper protection mechanism. I.g. both is necessary to inhibit CSRF.
>
>> I know that social engineering is prevalent and enticing is not very remote
>> possibility.
>
> As CSRF can often be hidden anywhere, it works without social engineering.
>
>> But want to know how do you guys impart  importance of CSRF among your product
>> teams?
>> Are you aware of any exploitation method other than social engineering/link
>> enticing?
>>
>> I am interested in knowing thoughts about this and not about technical details
>> of exploitation as I am aware of them.
>
> Hope this helps to strengthen the threat.
> Achim
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>




More information about the websecurity mailing list