Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/20/2007
07:19 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tool Eases CSRF Bug Discovery

Tool will show how widespread CSRF bugs are in Websites, researchers say

If you think Cross-Site Request Forgery (CSRF) vulnerabilities aren't easy to find or exploit on your Website, think again. A researcher has released a tool that makes it easier to test sites for CSRF vulnerabilities -- and find out how prevalent the emerging bugs really are.

The online tool lets you use the HTTP "post" request to check for CSRF bugs. Chris Shiflet, principal with OmniTI and creator of the newly released CSRF Redirector tool, says there's a misconception among Web developers that testing for CSRF bugs with a "post" request is more difficult or inconvenient, so CSRF attacks using "post" aren't as common as those using an HTTP "get" request.

"I think this can help highlight how easily CSRF vulnerabilities can be exploited, even when the forged request must be a 'post' request," Shiflet says. "Often, inconvenience is considered a safeguard" for a site, but that's not really the case.

It's easier to test for CSRF bugs with a "get" request because visiting a URL initiates such a request, while a "post" requires the tester to build an HTML form, Shiflet says. "So any bug that can be exploited with 'get' is easy to test for," he says. "It's marginally less convenient with 'post,' so this [tool] is trying to remove that slight barrier of inconvenience."

CSRF worries Web researchers because it can potentially cause serious damage to Websites and enterprises. (See CSRF Bug Runs Rampant, Eight Vulnerabilities You May Have Missed, and CSRF Vulnerability: A 'Sleeping Giant'.)

"For some reason, CSRF seems to be hovering just below the radar of most Web developers," Shiflet says. "And in my experience [so far], it seems to be exploited far less [than XSS] as well."

To see how much interest hackers have in CSRF, Shiflet even purposely placed a CSRF bug on his personal Website and then mentioned it in his blog. Yet, only once has someone tried to exploit it, he says. "I get cross-site scripting-related attack [attempts] in the hundreds a day... I find that very interesting. There are far fewer attempts on CSRF."

He thinks it's more of an awareness issue, rather than a complexity issue, since XSS is more widely known and understood than CSRF. "Exploiting CSRF is equally as easy as cross-site scripting."

"This doesn't change the exploitability of the attack vector much -- certainly, people were able to do this before, and will continue to be able to do this without the tool," says RSnake, a.k.a. Robert Hansen, CEO at SecTheory LLC. "However, what it does provide is the ability for researchers to quickly prototype examples to demonstrate the problem."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SecTheory LLC
  • OmniTI Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-8015
    PUBLISHED: 2020-04-02
    A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.
    CVE-2020-1927
    PUBLISHED: 2020-04-02
    In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
    CVE-2020-8144
    PUBLISHED: 2020-04-01
    The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
    CVE-2020-8145
    PUBLISHED: 2020-04-01
    The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
    CVE-2020-8146
    PUBLISHED: 2020-04-01
    In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...