I'm trying to put my head around what Andrew Van Der Stock (head of OWASP) is trying to say here:

http://www.greebo.net/?p=413

He's just explaining how CSRF can be detected by robots. You input some data, see if anything changed once you did. Then it's a function of some sort. Then you try to exploit it by getting someone else to do it for you with their credentials. Poof, CSRF in a can.

- RSnake
Gotta love it. http://ha.ckers.org

Thing is, how it is implemented again. because if I reference two iframes to a website, and the user is on that site also, I could make legitemate requests despite wether they are detecting a change in sessions or data for that matter. In the end they only lock out the good guys with it.

So detection is really, really tough. Think => CAPTCHA and you know what I mean when I say tough these days.

Instead of detecting it, make sure it cannot happen. A lot of ways to do that:

- design a cross/same domain policy for your domain (Apache, flash)
- jump out of frames/iframes with javascript.
- create unique identifiers based upon IP info
- create secure tokens, (very secure they must be able to withstand bruteforcing)
- create a user profile and store it into a session
- be sure to ask a password on EVERY important change in data, like modifying the password, email etc.

It's not possible to reliably detect CSRF automatically.

------------------
http://www.itnoise.com

>It's not possible to reliably detect CSRF automatically.

Yeah, it's not easy to reliably detect CSRF, but that doesn't mean you couldn't do some fuzzing and automatic flagging of potential CSRF. I think that this would be most useful against sites using RPC that returns JSON, especially if the fuzzer could analyze the response to see if it's usable JSON.

THere's a good blog post on what responses are vulnerable here: http://jpsykes.com/47/practical-csrf-and-json-security

Thanks for link wck. Very interesting reading.

------------------
http://www.itnoise.com

What's up with detecting stuff lately? why not prevent it or just block it. If you detect it only you are already too late. An IDS without an IPS is useless, and certainly with such CSRF practice.

@blad3 - OWASP is trying to detect CSRF automatically: http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project

Why detect when mitigation is possible too? Also the tool can be patched to send out mails for suspicious requests (highly recommended when using the first time on a live app)

http://code.google.com/p/csrfx/

Greetings,
.mario

Oh - I wasn't giving my moral opinion of the project, just informing people that it was out there. :)

- RSnake
Gotta love it. http://ha.ckers.org

Whiiiich it turns out someone else already posted if I had been paying attention: http://sla.ckers.org/forum/read.php?4,17659 Whoops!

- RSnake
Gotta love it. http://ha.ckers.org

We forgive you ;)