Thursday, February 18, 2010

Have you heard about CSRF?

Cross-Site Request Forgeries are probably the simplest kind of attacks against unprotected websites. It simply works with a site A that the attacker owns (hacked or hers) visited by the victim, making a request to a site B where the victim is authenticated. As the victim (or rather her browser) is already authenticated on B, the request succeeds and the site A gets the content, and is free to make whatever it wants of it.

For example, in one tab or window, you'll be having a look at your bank account (B). On another tab or window, you'll be visiting a random page, say a blogging page (A). The page A contains code that makes a request to the bank site. The bank knows you're currently connected and thinks it's a regular request. And responds to it. So A receives informations about your banking accounts and does whatever it's meant to do with it.

When I discovered about this kind of attacks, I couldn't suppress a roar of laughter. That's so easy that I wondered how dumb I was not to have thought about it myself.

I can remember two years ago foretelling my friend and former co-worker Gabi Popa that it would become a major problem in web apps. Now, both the OWASP (since 2007) and the MITRE put it in the top five of the worst problems of web apps.

I think it's a problem that's going to last for a long time because the source of the problem can be identified both in the web apps and in the web browsers, resulting in a "no-one moves first" situation (delaying the moment when the developers of one side will roll their sleeves up and act.)