There's been a lot of talk of lately about the 'new' Cross Site Request Forgery (CSRF) vulnerabilities that are apparently present in nearly every web application in the world. The fact that big name websites (read: yahoo & google) have this vulnerability make people even more scared.
If you rewind back a couple years, Cross Site Scripting (XSS) was supposedly all the rage, but people weren't getting nearly as concerned about that vulnerability. In fact, to this day many people don't take XSS seriously. This baffles me to know end because XSS is, at the very least, as exploitable and dangerous as CSRF.
The requirements for a successful XSS exploit requires the following:
1. XSS vulnerability existing on the application (preferably before login).
2. A method to induce the execution of a script (eg. phishing email).
3. An effective script to steal user information.
The requirements for a CSRF exploit are in fact more stringent:
1. A form that is vulnerable to CSRF.
2. A method to induce execution of the request.
3. A successful form submission method.
4. A vulnerable form that provides an attacker with a useful attack vector.
5. Access to the form (since forms often exist after login).
This last 2 requirement is what makes CSRF attacks more challenging. Most useful forms like account transactions, shopping cart checkouts and change password/email forms exist after a user has logged in to an account. So to perform an attack on these types of forms, the attacker must know that the victim is logged into an application. This is a challenging certainty to induce!In fact I think that the only common form outside of a login that is susceptible is a 'forgot password' type form where an attacker could potentially lockout users.
While I do believe that CSRF attacks can be very very harmful, I just think that they are harder to actually exploit and web application owners have to be wary about what the form does and where it is located before declaring that their application is truly vulnerable to CSRF. Secdurity professionals just need to be a little bit more careful before they get caught up in the hype.
- Prashanth Ravishankar
Interesting site is a helpful and nice article.
Posted by: Foreplay Tips for Men | November 02, 2009 at 08:55 AM
Hi blog owner,
So just wanna say XSS is absolutely shit. No, really. If right now be before 07 times so yeah, but this focus so not actualy...
Posted by: Viagra Online | November 24, 2009 at 10:44 AM
hello fellas, I just want to emphasize the good work on this blog, has excellent views and a clear vision of what you are looking for...
Posted by: Donde Invertir | February 13, 2010 at 10:33 PM
your blog is very interesting. the information it contains is very comprehensive and entertaining. I thank you for your help.
Posted by: cialis online | April 27, 2010 at 04:12 PM
It's seems it's nothing more than business as usual, try preserve and maintain a sinking ship putting plugs here and there to stop further leaking.I love Jesus, but his bride had better clean up her act if she ever hopes to make to the wedding feast.
Posted by: viagra online | August 17, 2010 at 12:59 PM
I had heard about XSS and CSRF, and I think that both are dangerous. People should be careful with 'cause what they do is to betray people or cheat them. By the way thanks for letting me know about this.
Posted by: Generic Viagra | November 02, 2010 at 11:57 AM
I didn't know that sites like: yahoo or google have some problems with vulnerabilities before. Probably one thing that everybody don't know. It is that site like those are in a war against hacker everyday to prevent leak of information.
Posted by: Sildenafil Citrate | November 03, 2010 at 12:51 PM
Excellent way to post something important, I mean, the topic and the headline that you pick to catch the attention here was great and very smart. may be you can share more useful information through the blog.
Posted by: Tadalafil | November 04, 2010 at 09:09 AM
This information it's great, I didn't know about XSS or CSRF systems. But I think that these systems are only to cheat people and win money for themselves.
Posted by: Generic Viagra | November 04, 2010 at 10:04 AM
Wow, this is really more complex that what I had thought! I was just looking for a little bit of information or definition of what CSRF is, because I have it on my exam and I have no idea what that is!
Posted by: Generic Viagra | November 04, 2010 at 11:40 AM
I can see you have good knowledge on the subject. I loved the read. Keep up the updates.
Posted by: Log full download | December 22, 2010 at 08:32 PM
Tak for at dele disse oplysninger med os, er du meget venlige. Denne information er awesome.
Posted by: apotek dk | June 15, 2011 at 12:32 PM