Monday, September 29, 2008

New CSRF paper with vulnerability disclosure

Ed Felten and Bill Zeller recently released a very well-written paper about Cross-Site Request Forgery (CSRF), including some real-world vulnerability examples from ING Direct, YouTube, MetaFilter, and The New York Times. As you all know so well, CSRF vulnerabilities are easy find when you just decide to look on basically any website. Don't expect any ground breaking research per-say, but the papers content is really helpful to those unfamiliar with CSRF (and that's still a lot people - especially developers). Ed and Bill also did some work on a potential client-side solution, like LocalRodeo I think, which I hope to find time to investigate further. We need as many smart people as we can trying to solve this problem in creative ways. CSRF certainly isn't going to go away anytime soon.

5 comments:

Matt Presson said...

One product that appears to be promising, at least for Java developers, is hDiv - http://www.hdiv.org/. It also has a lot of other features that some may find interesting depending on the type of information they are processing.

Rafal Los said...

I can't believe there are still SO MANY CSRF vulnerabilities out there in the wild. Every time I'm in front of a group of developers they seem to think that CSRF is an attack reserved for the movies or hacker stories told around camp fires.

Education, education, education. We can't stress this enough. XSS + CSRF = disaster... it's not going to get any less nasty.

Anonymous said...

banking.senate.gov/public/index.cfm?Fuseaction=Hearings.Detail&HearingID=7a41ae9e-30b2-4d7f-8f1b-4ef2e8ae28f7

Anonymous said...

I dont understand what`s so promising in hDiv?.Although i had to use it a couple of times i tend to do iit as less times i can.

FREE USA Opt-In Email Leads List Sample State IDAHO - Page 1

Lunitic said...

Great article and nice breakdown. I can stop trying to re-invent the wheel I see.