CEO of Bit Discovery, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, Off-Road Race Car Driver, Founder of WhiteHat Security, and Maui resident.
Monday, September 29, 2008
New CSRF paper with vulnerability disclosure
Ed Felten and Bill Zeller recently released a very well-written paper about Cross-Site Request Forgery (CSRF), including some real-world vulnerability examples from ING Direct, YouTube, MetaFilter, and The New York Times. As you all know so well, CSRF vulnerabilities are easy find when you just decide to look on basically any website. Don't expect any ground breaking research per-say, but the papers content is really helpful to those unfamiliar with CSRF (and that's still a lot people - especially developers). Ed and Bill also did some work on a potential client-side solution, like LocalRodeo I think, which I hope to find time to investigate further. We need as many smart people as we can trying to solve this problem in creative ways. CSRF certainly isn't going to go away anytime soon.
Posted by Jeremiah Grossman at 1:26 PM
Subscribe to: Post Comments (Atom)
One product that appears to be promising, at least for Java developers, is hDiv - http://www.hdiv.org/. It also has a lot of other features that some may find interesting depending on the type of information they are processing.
I can't believe there are still SO MANY CSRF vulnerabilities out there in the wild. Every time I'm in front of a group of developers they seem to think that CSRF is an attack reserved for the movies or hacker stories told around camp fires.
Education, education, education. We can't stress this enough. XSS + CSRF = disaster... it's not going to get any less nasty.
I dont understand what`s so promising in hDiv?.Although i had to use it a couple of times i tend to do iit as less times i can.
FREE USA Opt-In Email Leads List Sample State IDAHO - Page 1
Great article and nice breakdown. I can stop trying to re-invent the wheel I see.
Post a Comment