Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/17/2006
08:35 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CSRF Vulnerability: A 'Sleeping Giant'

A mostly unknown Web vulnerability called Cross-Site Request Forgery could be the next attack vector on your Website

If you think Cross-Site Scripting (XSS) is scary and prolific, just wait for the next big Website threat: Cross-Site Request Forgery (CSRF).

The CSRF vulnerability lies in most every Website, but it has remained mostly under the radar for nearly a decade -- it's not even included in the Web Security Threat Classification, OWASP Top 10 or Mitre Corp.'s Common Vulnerability and Exposures (CVE) list. (See Hackers Reveal Vulnerable Websites, Cross-Site Scripting: Attackers' New Favorite Flaw, and Two Vendors Deny XSS Flaws ).

But security researchers say it's only a matter of time before someone awakens the "sleeping giant" and does some major damage with it -- like wiping out a user's bank account or booking a flight on behalf of a user without his knowledge.

"There are simply too many [CSRF-vulnerable Websites] to count," says rsnake, founder of ha.ckers.org. "The sites that are more likely to be attacked are community websites or sites that have high dollar value accounts associated with them -- banks, bill pay services, etc."

Other experts agree. "It's not seen as a vulnerability because it works like the Web works. That's the problem," says Jeremiah Grossman, a researcher and CTO of WhiteHat Security , who calls CSRF "the sleeping giant" vulnerability.

"The security community will be forced to deal with this...it's serious," Grossman says.

CSRF isn't new -- it's been part and parcel of Websites for at least a decade. Perhaps the most famous CSRF attack was the Samy worm on MySpace, which blended a deadly cocktail of XSS and CSRF that eventually took down the site. But researchers worry that it will be the next approach vector for hackers looking for new ways to attack Web applications.

And there are signs that CSRF may already have been reawakened from its slumber. One researcher recently released proof-of-concept code for CSRF attacks against Netflix's Website that can add movies to a user's rental queue, change the name and address on their account, or cancel their account.

CSRF works like this: An attacker identifies a URL on a Website -- such as Netflix or a bank -- that initiates typical Web functions such as making a purchase, changing an email address or transferring funds. "The attacker takes that URL and loads it to a Web page they control," White Hat's Grossman says.

The actual attack occurs when the user visits the attacker-controlled Web page via a legit link, which forces the browser -- using legitimate, authenticated cookies -- to make malicious requests. The user has no clue as to what's happening.

And the catch is that neither the original Website nor the user's computer is necessarily compromised, Grossman says.

One way to stay safe is to keep clearing cookies or ensure you're properly logged off to all sites before you visit another, Grossman says. "The more sites you visit, the more your risk increases" with CSRF, he says.

CSRF is tougher to repair than XSS and SQL injection vulnerabilities. Cleaning it up would require recoding Web apps, including each form and feature on a site, security experts say. And when combined with XSS, it's especially deadly, so you should fix your XSS vulnerabilities first.

Once you've eliminated the XSS flaws, you can use either one-time tokens generated by your Web server or the CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) challenge-response tool to combat CSRF.

Tokens, also known as nonces, are susceptible to XSS, so that's one reason to eliminate XSS first, says rsnake.

Grossman says he expects attackers to perform these attacks using both XSS and CSRF vulnerabilities.

So will the sla.ckers.org group of hackers, which has exposed XSS vulnerabilities on many major Websites, take on CSRF next?

"It's possible," sla.ckers.org founder rsnake says. "However, as it requires account access with the companies in question, it is substantially more involved to test for in large scale [than] XSS, which rarely requires a username/password. Unfortunately, this is an attack that is reserved for the more determined attacker, rather than the casual researcher."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...