My RSA 2008 presentation on Cross-Site Request Forgery, “The Sleeping Giant of Website Vulnerabilities”, attracted a nice sized crowd. Somewhere around 200-300 packed the room all eager to learn about this strange and new CSRF thing they’ve only recently heard of. My goals was to explain what CSRF means to them personally and as a website owner or developer. For those just starting out, CSRF can easily appear FUD like, but fortunately once it clicks, everyone gets the potential impact immediately – especially when exposed to the proper examples. That’s key.
For those already in the know, the best guess is the prevalence of CSRF is equal to or greater than that of XSS, statistically the most widespread vulnerability we’re currently aware of. Its also just as dangerous (or more so), extremely difficult to scan for (so we don't really know how bad it is out there), painful and time consuming to fix, and wouldn’t ya now it…all solutions easily bypassed by XSS exploits. My challenge was making the presentation informative and easy to follow for the newly initiated, representing 90% of the audience, yet compelling enough to keep the deep technical folks engaged. A tough balancing act.
I started off by going through a basic CSRF bank transfer example, some Amazon 1-click scamming, Google Search History fun, onto a Gmail email theft, followed by intranet and printer hacking (plus the DNS-pharming attacks found in the wild), then how XSS can be used to bypass CSRF protections using the Samy Worm as a case study, and finally tossed in a little bit of theoretical CSRF click-a-link-go-to-jail for good measure. The flow felt solid, but I plan to make some adjustments. There were several occasions of pin-drop audience silence where I had to stop and ask if people were “getting it” or simply scared by what they saw. From what I gathered it was the later because the hacks all seemed too easy, and they really are.
Judging from the 15 minutes of questions at the end, the dozens people that came up afterwards, not to mention the volumes of people voicing their appreciation to me on the expo show floor -- I’d say the presentation was a success. What more could a speaker hope for.
Over the next 12 months it’s going to be really important that the industry experts keep spreading the word about the importance of CSRF. For those that couldn’t make it to RSA or the presentation, here my CSRF slides complete with references. Thank you everyone reading who was able to attend and I’ll see you next year!