Comments on: CSRF Demystified

By: InfoSec & Other Ramblings - Cross Site Request Forgery

InfoSec & Other Ramblings - Cross Site Request Forgery — Wed, 04 Jun 2008 19:42:40 +0000

[...] Mario sums up CSRF perfectly - http://www.gnucitizen.org/blog/csrf-demystified [...]

By: Mario Heiderich

Mario Heiderich — Thu, 29 Nov 2007 17:02:51 +0000

Thanks guys - the feedback is very appreciated.

And on a sidenote: The CSRFx has been developed further the recent days and lots of bugs were fixed. Also we did some performance measurements and found out that despite of the thorough regex usage the project doesn’t slow down your webapp significantly.

10x for the support!
Greetings,
.mario

By: pdp

pdp — Wed, 28 Nov 2007 19:54:30 +0000

Tom, :) the older CSRF article was proposing a simple unobtrusive solution that actually works and it is very easy to implement.

By: Tom

Tom — Wed, 28 Nov 2007 17:12:28 +0000

Great article - I’m very happy it doesn’t suggest adding the session ID to the URL as a defense for CRLF, as a gnucitizen article did back in March (Top google hit for CSRF defense).

Great suggestions, and unlike the previous article it does not make the site more succeptible to some attacks in order to harden against CSRF.

By: fatmatt

fatmatt — Wed, 28 Nov 2007 11:45:23 +0000

Thanx!!
It showed very clearly CSRF, i’m already securing my web apps!! :)

By: Josep

Josep — Thu, 22 Nov 2007 21:39:17 +0000

Thanks for this article, I found it very clear and straightforward!

I’ve just started playing with it and found several webs vulnerable. Interesting… :)

By: Mario Heiderich

Mario Heiderich — Wed, 21 Nov 2007 13:01:08 +0000

Thx! I always have difficulties when telling my colleagues during scrum that I worked on the see-es-ar-eff-ex again ;)

Yes - there are several ways to protect against CSRF in very special situations. Such as the password change form as you mentioned. But this article is targeted to create more awareness about the topic itself and about easy to implement solutions.

Keeping XSS out in combination with using tokens is pretty bullet-proof. The CSRFx even takes care of accidental multiple submits since it stores a cloud of tokens for each user depending on session ID and user agent. So there are not many situations left in which such a tool wouldn’t work.

Nevertheless you are perfectly right. It not only the tool but the application and front end logic that can mitigate CSRF holes too. The password change form is perfect example for that - as well as ‘delete profile’ forms and stuff like that.

By: Adrian Pastor

Adrian Pastor — Wed, 21 Nov 2007 12:23:56 +0000

meant to say *reports*

By: Adrian Pastor

Adrian Pastor — Wed, 21 Nov 2007 12:23:16 +0000

Asking for the password again when updating profile info (i.e.: password, name, address) is also a valid protection.

Need to check out CSRFx, I might start mentioning this library in my pentest report. btw, I think it could be pronounced easily: “sea surf X”

Very nice post on one of my favorite subjects.