Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/17/2006
08:35 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

CSRF Vulnerability: A 'Sleeping Giant'

A mostly unknown Web vulnerability called Cross-Site Request Forgery could be the next attack vector on your Website

If you think Cross-Site Scripting (XSS) is scary and prolific, just wait for the next big Website threat: Cross-Site Request Forgery (CSRF).

The CSRF vulnerability lies in most every Website, but it has remained mostly under the radar for nearly a decade -- it's not even included in the Web Security Threat Classification, OWASP Top 10 or Mitre Corp.'s Common Vulnerability and Exposures (CVE) list. (See Hackers Reveal Vulnerable Websites, Cross-Site Scripting: Attackers' New Favorite Flaw, and Two Vendors Deny XSS Flaws ).

But security researchers say it's only a matter of time before someone awakens the "sleeping giant" and does some major damage with it -- like wiping out a user's bank account or booking a flight on behalf of a user without his knowledge.

"There are simply too many [CSRF-vulnerable Websites] to count," says rsnake, founder of ha.ckers.org. "The sites that are more likely to be attacked are community websites or sites that have high dollar value accounts associated with them -- banks, bill pay services, etc."

Other experts agree. "It's not seen as a vulnerability because it works like the Web works. That's the problem," says Jeremiah Grossman, a researcher and CTO of WhiteHat Security , who calls CSRF "the sleeping giant" vulnerability.

"The security community will be forced to deal with this...it's serious," Grossman says.

CSRF isn't new -- it's been part and parcel of Websites for at least a decade. Perhaps the most famous CSRF attack was the Samy worm on MySpace, which blended a deadly cocktail of XSS and CSRF that eventually took down the site. But researchers worry that it will be the next approach vector for hackers looking for new ways to attack Web applications.

And there are signs that CSRF may already have been reawakened from its slumber. One researcher recently released proof-of-concept code for CSRF attacks against Netflix's Website that can add movies to a user's rental queue, change the name and address on their account, or cancel their account.

CSRF works like this: An attacker identifies a URL on a Website -- such as Netflix or a bank -- that initiates typical Web functions such as making a purchase, changing an email address or transferring funds. "The attacker takes that URL and loads it to a Web page they control," White Hat's Grossman says.

The actual attack occurs when the user visits the attacker-controlled Web page via a legit link, which forces the browser -- using legitimate, authenticated cookies -- to make malicious requests. The user has no clue as to what's happening.

And the catch is that neither the original Website nor the user's computer is necessarily compromised, Grossman says.

One way to stay safe is to keep clearing cookies or ensure you're properly logged off to all sites before you visit another, Grossman says. "The more sites you visit, the more your risk increases" with CSRF, he says.

CSRF is tougher to repair than XSS and SQL injection vulnerabilities. Cleaning it up would require recoding Web apps, including each form and feature on a site, security experts say. And when combined with XSS, it's especially deadly, so you should fix your XSS vulnerabilities first.

Once you've eliminated the XSS flaws, you can use either one-time tokens generated by your Web server or the CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) challenge-response tool to combat CSRF.

Tokens, also known as nonces, are susceptible to XSS, so that's one reason to eliminate XSS first, says rsnake.

Grossman says he expects attackers to perform these attacks using both XSS and CSRF vulnerabilities.

So will the sla.ckers.org group of hackers, which has exposed XSS vulnerabilities on many major Websites, take on CSRF next?

"It's possible," sla.ckers.org founder rsnake says. "However, as it requires account access with the companies in question, it is substantially more involved to test for in large scale [than] XSS, which rarely requires a username/password. Unfortunately, this is an attack that is reserved for the more determined attacker, rather than the casual researcher."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18387
PUBLISHED: 2019-10-23
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
CVE-2019-18212
PUBLISHED: 2019-10-23
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
CVE-2019-18213
PUBLISHED: 2019-10-23
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
CVE-2019-18384
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
CVE-2019-18385
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.