Cross-Site Request Forgery (aka CSRF or XSRF) is a dangerous vulnerability present in just about every website. An issue so pervasion and fundamental to the way the Web is designed to function we've had a difficult time even reporting it as a "vulnerability". Which is also a main reason why CSRF does not appear on the Web Security Threat Classification or the OWASP Top 10. Times are changing and it’s only a matter of time before CSRF hacks its way into the mainstream consciousness. Chris Shiflett (principal of OmniTI) and I were speaking about this today and how to best convey the issues importance. CSRF may in fact represent an industry challenge far exceeding that of Cross-Site Scripting (XSS).
Dare we speak of The Dangers of Cross-Domain Ajax with Flash?
Volume- Nearly every feature on every website is vulnerable to CSRF. When/if we begin reporting CSRF issues its going to be on the average of dozens per website, thousands when counting open source and commercial web applications (look out bugtraq), and in the millions when speaking on a Web-wide scale.
Identification- Finding CSRF is very difficult to automate with current scanning technology and by enlarge must be performed manually. Therefore what would be considered a comprehensive vulnerability assessment becomes more time consuming and expensive.
Hard to Solve- This is the real bad part about CSRF, it’s much more difficult to fix. That is, relative to the 1 or 2 line fixes we’re used to with XSS or SQL Injection. CSRF solutions may require CAPTCHA's (blech), Session Tokens, Flow Control, etc. Solutions requiring many more lines of code where a proper implementation is harder to get right. Imagine having to inform a developer they're going to have to put CAPTCHA’s or Sessions Tokens on every one of the hundred forms. Ugh.
Where we go from here
We are looking ahead to a serious and wide-reaching yet-to-be-exploited vulnerability, which the bad guys will eventually figure out how to monetize and our solutions are sorely lacking. For those in the industry who want to make a significant difference, THE FIELD IS WIDE OPEN. We need generic and innovative technology solutions for both CSRF identification and defense.