Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
automated detection of csrf
Posted by: ntp
Date: May 15, 2007 09:55PM

I'm trying to put my head around what Andrew Van Der Stock (head of OWASP) is trying to say here:

http://www.greebo.net/?p=413

Options: ReplyQuote
Re: automated detection of csrf
Posted by: rsnake
Date: July 12, 2007 06:05PM

He's just explaining how CSRF can be detected by robots. You input some data, see if anything changed once you did. Then it's a function of some sort. Then you try to exploit it by getting someone else to do it for you with their credentials. Poof, CSRF in a can.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: automated detection of csrf
Posted by: Anonymous User
Date: July 13, 2007 05:54PM

Thing is, how it is implemented again. because if I reference two iframes to a website, and the user is on that site also, I could make legitemate requests despite wether they are detecting a change in sessions or data for that matter. In the end they only lock out the good guys with it.

So detection is really, really tough. Think => CAPTCHA and you know what I mean when I say tough these days.

Instead of detecting it, make sure it cannot happen. A lot of ways to do that:

- design a cross/same domain policy for your domain (Apache, flash)
- jump out of frames/iframes with javascript.
- create unique identifiers based upon IP info
- create secure tokens, (very secure they must be able to withstand bruteforcing)
- create a user profile and store it into a session
- be sure to ask a password on EVERY important change in data, like modifying the password, email etc.

Options: ReplyQuote
Re: automated detection of csrf
Posted by: blad3
Date: July 15, 2007 02:15AM

It's not possible to reliably detect CSRF automatically.

------------------
http://www.itnoise.com

Options: ReplyQuote
Re: automated detection of csrf
Posted by: wck
Date: July 17, 2007 03:36PM

>It's not possible to reliably detect CSRF automatically.

Yeah, it's not easy to reliably detect CSRF, but that doesn't mean you couldn't do some fuzzing and automatic flagging of potential CSRF. I think that this would be most useful against sites using RPC that returns JSON, especially if the fuzzer could analyze the response to see if it's usable JSON.

THere's a good blog post on what responses are vulnerable here: http://jpsykes.com/47/practical-csrf-and-json-security

Options: ReplyQuote
Re: automated detection of csrf
Posted by: blad3
Date: July 18, 2007 01:04AM

Thanks for link wck. Very interesting reading.

------------------
http://www.itnoise.com

Options: ReplyQuote
Re: automated detection of csrf
Posted by: Anonymous User
Date: July 19, 2007 12:21AM

What's up with detecting stuff lately? why not prevent it or just block it. If you detect it only you are already too late. An IDS without an IPS is useless, and certainly with such CSRF practice.

Options: ReplyQuote
Re: automated detection of csrf
Posted by: rsnake
Date: December 10, 2007 09:19AM

@blad3 - OWASP is trying to detect CSRF automatically: http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project

Options: ReplyQuote
Re: automated detection of csrf
Posted by: Anonymous User
Date: December 10, 2007 09:30AM

Why detect when mitigation is possible too? Also the tool can be patched to send out mails for suspicious requests (highly recommended when using the first time on a live app)

http://code.google.com/p/csrfx/

Greetings,
.mario

Options: ReplyQuote
Re: automated detection of csrf
Posted by: rsnake
Date: December 10, 2007 09:32AM

Oh - I wasn't giving my moral opinion of the project, just informing people that it was out there. :)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: automated detection of csrf
Posted by: rsnake
Date: December 10, 2007 09:33AM

Whiiiich it turns out someone else already posted if I had been paying attention: http://sla.ckers.org/forum/read.php?4,17659 Whoops!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: automated detection of csrf
Posted by: Anonymous User
Date: December 10, 2007 10:59AM

We forgive you ;)

Options: ReplyQuote


Sorry, only registered users may post in this forum.