Hello participants of Mailing List.
In December 2010 I've published in the list my article Business Logic
vulnerabilities via CSRF
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-December/007283.html).
In this small article I told you about possibility of stealing money via
CSRF vulnerabilities and described one attack scenario (in previous years I
found many such vulnerabilities that can be used with this attack scenario).
But there were no real examples of such vulnerabilities in the article
(I've published them in that time at my site), because it was not admissible
by the rules of mailing list.
So for everyone who is interested in this topic I want to inform, that this
week in the magazine PenTest Extra 01/2012 was released my new article
Business Logic vulnerabilities via CSRF
(http://pentestmag.com/pentest-extra-012012/). In new edition of the
article, in which I've made comprehensive description of such
vulnerabilities and attacks for stealing users' money, there are a lot of
new information (comparing with original article).
There are descriptions of different scenarios of attacks (both one-step and
multi-step attacks), examples of exploits for these scenarios and examples
of real CSRF vulnerabilities on e-commerce sites, which allow to steal money
from users' accounts. All examples of CSRF-exploits for the article were
created with my CSRF Generator. It can be used for creating PoCs and
exploits during security researches and security audits. This is the first
announcement of my new tool CSRF Generator, which I've placed at my site at
2nd of January.
You can download a teaser of this issue of the magazine with my article
(http://websecurity.com.ua/uploads/articles/PenTestExtra_01_2012_MustLive_Teaser.pdf).
Unlike official teaser of the magazine, where there is only part of the
text, in my version (which was made by the magazine specially for me) there
is full text of it. So you can read full version of the article. I hope it
will be interesting for you.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
... and here's a teaser on how to fix it in Java
https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
-Eric
On Thu, Jan 19, 2012 at 2:25 PM, MustLive mustlive@websecurity.com.ua wrote:
Hello participants of Mailing List.
In December 2010 I've published in the list my article Business Logic
vulnerabilities via CSRF
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-December/007283.html).
In this small article I told you about possibility of stealing money via
CSRF vulnerabilities and described one attack scenario (in previous years I
found many such vulnerabilities that can be used with this attack scenario).
But there were no real examples of such vulnerabilities in the article
(I've published them in that time at my site), because it was not admissible
by the rules of mailing list.
So for everyone who is interested in this topic I want to inform, that this
week in the magazine PenTest Extra 01/2012 was released my new article
Business Logic vulnerabilities via CSRF
(http://pentestmag.com/pentest-extra-012012/). In new edition of the
article, in which I've made comprehensive description of such
vulnerabilities and attacks for stealing users' money, there are a lot of
new information (comparing with original article).
There are descriptions of different scenarios of attacks (both one-step and
multi-step attacks), examples of exploits for these scenarios and examples
of real CSRF vulnerabilities on e-commerce sites, which allow to steal money
from users' accounts. All examples of CSRF-exploits for the article were
created with my CSRF Generator. It can be used for creating PoCs and
exploits during security researches and security audits. This is the first
announcement of my new tool CSRF Generator, which I've placed at my site at
2nd of January.
You can download a teaser of this issue of the magazine with my article
(http://websecurity.com.ua/uploads/articles/PenTestExtra_01_2012_MustLive_Teaser.pdf).
Unlike official teaser of the magazine, where there is only part of the
text, in my version (which was made by the magazine specially for me) there
is full text of it. So you can read full version of the article. I hope it
will be interesting for you.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hello Eric!
I heard about OWASP CSRFGuard. And it's one of CSRF solutions to which
people can draw their attention. From reading the description of the
project, it becomes clear why you are referencing to it :-).
What problems we have with this solution concerning fixing of CSRF
vulnerabilities:
Are you planning to make CSRFGuard cross-platform (as much cross-platform as
possible)? In Reference section you mentioned about PHP CSRF Guard,
Javascript Cross Site Request Forgery Protection Kit and .Net CSRF Guard,
which are "based on CSRFGuard" (as I see from the descriptions). Because
it's different projects, regardless of how much they are integrated with
CSRFGuard (J2EE), it can make harder for people to understand and deploy the
solution. Anyway the process of cross-platforming of CSRFGuard has started.
Small number of developers aware about it and this need to be changed. I
hope our conversation in the mailing list will improve situation with
awareness about it ;-). Besides, thanks to you reminding me about
CSRFGuard - it'll be good reason for me to make an article about it.
Most of the developers still don't know or don't understand the CSRF. So
they don't care about any CSRF solutions. And security community need to
work on it.
There can be such developers, for which CSRFGuard is not appropriate. So any
teasers on how to fix CSRF via external solutions are not suitable for
them - they need to have their own secure code. So they require security
audit to find CSRF (and other) holes and if they can't fix them (and
reliably) by themselves, then they also need fixing service.
Best wishes & regards,
MustLive
http://soundcloud.com/mustlive
----- Original Message -----
From: "eric sheridan" eric.sheridan@owasp.org
To: "MustLive" mustlive@websecurity.com.ua
Cc: websecurity@lists.webappsec.org
Sent: Friday, February 10, 2012 5:13 PM
Subject: Re: [WEB SECURITY] Stealing money via CSRF
... and here's a teaser on how to fix it in Java
https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
-Eric
On Thu, Jan 19, 2012 at 2:25 PM, MustLive mustlive@websecurity.com.ua
wrote:
Hello participants of Mailing List.
In December 2010 I've published in the list my article Business Logic
vulnerabilities via CSRF
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-December/007283.html).
In this small article I told you about possibility of stealing money via
CSRF vulnerabilities and described one attack scenario (in previous years
I
found many such vulnerabilities that can be used with this attack
scenario).
But there were no real examples of such vulnerabilities in the article
(I've published them in that time at my site), because it was not
admissible
by the rules of mailing list.
So for everyone who is interested in this topic I want to inform, that
this
week in the magazine PenTest Extra 01/2012 was released my new article
Business Logic vulnerabilities via CSRF
(http://pentestmag.com/pentest-extra-012012/). In new edition of the
article, in which I've made comprehensive description of such
vulnerabilities and attacks for stealing users' money, there are a lot of
new information (comparing with original article).
There are descriptions of different scenarios of attacks (both one-step
and
multi-step attacks), examples of exploits for these scenarios and
examples
of real CSRF vulnerabilities on e-commerce sites, which allow to steal
money
from users' accounts. All examples of CSRF-exploits for the article were
created with my CSRF Generator. It can be used for creating PoCs and
exploits during security researches and security audits. This is the
first
announcement of my new tool CSRF Generator, which I've placed at my site
at
2nd of January.
You can download a teaser of this issue of the magazine with my article
(http://websecurity.com.ua/uploads/articles/PenTestExtra_01_2012_MustLive_Teaser.pdf).
Unlike official teaser of the magazine, where there is only part of the
text, in my version (which was made by the magazine specially for me)
there
is full text of it. So you can read full version of the article. I hope
it
will be interesting for you.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua