Hello participants of Mailing List. In December 2010 I've published in the list my article Business Logic vulnerabilities via CSRF (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-December/007283.html). In this small article I told you about possibility of stealing money via CSRF vulnerabilities and described one attack scenario (in previous years I found many such vulnerabilities that can be used with this attack scenario). But there were no real examples of such vulnerabilities in the article (I've published them in that time at my site), because it was not admissible by the rules of mailing list. So for everyone who is interested in this topic I want to inform, that this week in the magazine PenTest Extra 01/2012 was released my new article Business Logic vulnerabilities via CSRF (http://pentestmag.com/pentest-extra-012012/). In new edition of the article, in which I've made comprehensive description of such vulnerabilities and attacks for stealing users' money, there are a lot of new information (comparing with original article). There are descriptions of different scenarios of attacks (both one-step and multi-step attacks), examples of exploits for these scenarios and examples of real CSRF vulnerabilities on e-commerce sites, which allow to steal money from users' accounts. All examples of CSRF-exploits for the article were created with my CSRF Generator. It can be used for creating PoCs and exploits during security researches and security audits. This is the first announcement of my new tool CSRF Generator, which I've placed at my site at 2nd of January. You can download a teaser of this issue of the magazine with my article (http://websecurity.com.ua/uploads/articles/PenTestExtra_01_2012_MustLive_Teaser.pdf). Unlike official teaser of the magazine, where there is only part of the text, in my version (which was made by the magazine specially for me) there is full text of it. So you can read full version of the article. I hope it will be interesting for you. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

... and here's a teaser on how to fix it in Java https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project -Eric On Thu, Jan 19, 2012 at 2:25 PM, MustLive <mustlive@websecurity.com.ua> wrote: > Hello participants of Mailing List. > > In December 2010 I've published in the list my article Business Logic > vulnerabilities via CSRF > (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-December/007283.html). > In this small article I told you about possibility of stealing money via > CSRF vulnerabilities and described one attack scenario (in previous years I > found many such vulnerabilities that can be used with this attack scenario). > But there were no real examples of such vulnerabilities in the article > (I've published them in that time at my site), because it was not admissible > by the rules of mailing list. > > So for everyone who is interested in this topic I want to inform, that this > week in the magazine PenTest Extra 01/2012 was released my new article > Business Logic vulnerabilities via CSRF > (http://pentestmag.com/pentest-extra-012012/). In new edition of the > article, in which I've made comprehensive description of such > vulnerabilities and attacks for stealing users' money, there are a lot of > new information (comparing with original article). > > There are descriptions of different scenarios of attacks (both one-step and > multi-step attacks), examples of exploits for these scenarios and examples > of real CSRF vulnerabilities on e-commerce sites, which allow to steal money > from users' accounts. All examples of CSRF-exploits for the article were > created with my CSRF Generator. It can be used for creating PoCs and > exploits during security researches and security audits. This is the first > announcement of my new tool CSRF Generator, which I've placed at my site at > 2nd of January. > > You can download a teaser of this issue of the magazine with my article > (http://websecurity.com.ua/uploads/articles/PenTestExtra_01_2012_MustLive_Teaser.pdf). > Unlike official teaser of the magazine, where there is only part of the > text, in my version (which was made by the magazine specially for me) there > is full text of it. So you can read full version of the article. I hope it > will be interesting for you. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hello Eric! I heard about OWASP CSRFGuard. And it's one of CSRF solutions to which people can draw their attention. From reading the description of the project, it becomes clear why you are referencing to it :-). What problems we have with this solution concerning fixing of CSRF vulnerabilities: 1. As you've mentioned, CSRFGuard is for Java only. Developers on other platforms can't use it. Are you planning to make CSRFGuard cross-platform (as much cross-platform as possible)? In Reference section you mentioned about PHP CSRF Guard, Javascript Cross Site Request Forgery Protection Kit and .Net CSRF Guard, which are "based on CSRFGuard" (as I see from the descriptions). Because it's different projects, regardless of how much they are integrated with CSRFGuard (J2EE), it can make harder for people to understand and deploy the solution. Anyway the process of cross-platforming of CSRFGuard has started. 2. Awareness about CSRFGuard. Small number of developers aware about it and this need to be changed. I hope our conversation in the mailing list will improve situation with awareness about it ;-). Besides, thanks to you reminding me about CSRFGuard - it'll be good reason for me to make an article about it. 3. Awareness about CSRF. Most of the developers still don't know or don't understand the CSRF. So they don't care about any CSRF solutions. And security community need to work on it. 4. Developers don't want to use external code or they don't like to use 3rd-party antiCSRF libraries. There can be such developers, for which CSRFGuard is not appropriate. So any teasers on how to fix CSRF via external solutions are not suitable for them - they need to have their own secure code. So they require security audit to find CSRF (and other) holes and if they can't fix them (and reliably) by themselves, then they also need fixing service. 5. Fixing of CSRF holes will not solve Business Logic vulnerabilities, until they will be fixed by themselves. Otherwise attacks will be coming from other vectors and money will be stolen in any case. Best wishes & regards, MustLive http://soundcloud.com/mustlive ----- Original Message ----- From: "eric sheridan" <eric.sheridan@owasp.org> To: "MustLive" <mustlive@websecurity.com.ua> Cc: <websecurity@lists.webappsec.org> Sent: Friday, February 10, 2012 5:13 PM Subject: Re: [WEB SECURITY] Stealing money via CSRF > ... and here's a teaser on how to fix it in Java > > https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project > > -Eric > > On Thu, Jan 19, 2012 at 2:25 PM, MustLive <mustlive@websecurity.com.ua> > wrote: >> Hello participants of Mailing List. >> >> In December 2010 I've published in the list my article Business Logic >> vulnerabilities via CSRF >> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-December/007283.html). >> In this small article I told you about possibility of stealing money via >> CSRF vulnerabilities and described one attack scenario (in previous years >> I >> found many such vulnerabilities that can be used with this attack >> scenario). >> But there were no real examples of such vulnerabilities in the article >> (I've published them in that time at my site), because it was not >> admissible >> by the rules of mailing list. >> >> So for everyone who is interested in this topic I want to inform, that >> this >> week in the magazine PenTest Extra 01/2012 was released my new article >> Business Logic vulnerabilities via CSRF >> (http://pentestmag.com/pentest-extra-012012/). In new edition of the >> article, in which I've made comprehensive description of such >> vulnerabilities and attacks for stealing users' money, there are a lot of >> new information (comparing with original article). >> >> There are descriptions of different scenarios of attacks (both one-step >> and >> multi-step attacks), examples of exploits for these scenarios and >> examples >> of real CSRF vulnerabilities on e-commerce sites, which allow to steal >> money >> from users' accounts. All examples of CSRF-exploits for the article were >> created with my CSRF Generator. It can be used for creating PoCs and >> exploits during security researches and security audits. This is the >> first >> announcement of my new tool CSRF Generator, which I've placed at my site >> at >> 2nd of January. >> >> You can download a teaser of this issue of the magazine with my article >> (http://websecurity.com.ua/uploads/articles/PenTestExtra_01_2012_MustLive_Teaser.pdf). >> Unlike official teaser of the magazine, where there is only part of the >> text, in my version (which was made by the magazine specially for me) >> there >> is full text of it. So you can read full version of the article. I hope >> it >> will be interesting for you. >> >> Best wishes & regards, >> MustLive >> Administrator of Websecurity web site >> http://websecurity.com.ua