Comments on: CSRF Demystified

By: Matthew Nelson

Matthew Nelson — Fri, 27 Jan 2012 22:29:06 +0000

“Referer” is not a bulletproof CSRF solution. The header can be stripped by privacy tools and corporate proxies. Browsers won’t send the header for cross-domain HTTPS requests. Very old versions of Flash had a cross-domain header injection vulnerability. (See CVE-2006-5330.) Keep this in mind when choosing which requests to guard with “Referer” validation.

By: CSRF attacks: Home DSL routers are vulnerable | M.A.S. Electronics Web Blog

CSRF attacks: Home DSL routers are vulnerable | M.A.S. Electronics Web Blog — Thu, 18 Nov 2010 15:10:31 +0000

[...] to accomplish the e-mail deletion in the above example. The GNUCitizen Web site has an article â€œCSRF Demystifiedâ€ that explains the attack vector in detail. The following are some points that I found to be of [...]

By: Cross Site Request Forgery (CSRF aka XSRF) – Explained | Grey Hat Hacking â€“ Web 2.0 Applications

Tue, 23 Mar 2010 07:07:10 +0000

[...] http://www.gnucitizen.org/blog/csrf-demystified/ Tags: Cross Site Request Forgery, CSRF, Web Vulnerability, [...]

By: Was ist “Cross Site Request Forgery” (CSRF)? at PHP Gangsta

Was ist “Cross Site Request Forgery” (CSRF)? at PHP Gangsta — Sat, 22 Aug 2009 07:21:20 +0000

[...] http://www.gnucitizen.org/blog/csrf-demystified/ [...]

By: pdp

pdp — Tue, 28 Apr 2009 06:28:46 +0000

both GET and POST can be used in CSRF attacks.

By: suman

suman — Tue, 28 Apr 2009 01:14:39 +0000

you are assuming that the page uses a GET request right ?? The example wont work with POST perhaps

By: Ataque: ¿Qué es Cross Site Request Forgery (CSRF)? | Shadow Security

Ataque: ¿Qué es Cross Site Request Forgery (CSRF)? | Shadow Security — Thu, 29 Jan 2009 14:34:23 +0000

[...] CSRT Desmitificado (inglés) [...]

By: anshita

anshita — Mon, 12 Jan 2009 17:13:04 +0000

If i need to write patterns for csrf in an xml file,which can be then scanned by any scanner to analyse a particular web service,what would those patterns be like.For example in sql injection,we use a pattern like “1=1″ or “a=a”.Please reply.

By: CSRF attacks: Home DSL routers are vulnerable | Network Administrator | TechRepublic.com

Mon, 08 Dec 2008 23:38:00 +0000

[...] accomplish the e-mail deletion in the above example. The GNUCitizen Web site has an article “CSRF Demystified” that explains the attack vector in detail. The following are some points that I found to be [...]

By: Ardoooooon

Ardoooooon — Fri, 07 Nov 2008 10:57:40 +0000

Thanks! I found this very enlighting indeed, and has now taken action to prevent CSRF.

- Despite that, I still find that some of the preventive measures proposed weakens my website against other forms of attacks

By: InfoSec & Other Ramblings - Cross Site Request Forgery

InfoSec & Other Ramblings - Cross Site Request Forgery — Wed, 04 Jun 2008 19:42:40 +0000

[...] Mario sums up CSRF perfectly – http://www.gnucitizen.org/blog/csrf-demystified [...]

By: Mario Heiderich

Mario Heiderich — Thu, 29 Nov 2007 17:02:51 +0000

Thanks guys – the feedback is very appreciated.

And on a sidenote: The CSRFx has been developed further the recent days and lots of bugs were fixed. Also we did some performance measurements and found out that despite of the thorough regex usage the project doesn’t slow down your webapp significantly.

10x for the support!
Greetings,
.mario

By: pdp

pdp — Wed, 28 Nov 2007 19:54:30 +0000

Tom, :) the older CSRF article was proposing a simple unobtrusive solution that actually works and it is very easy to implement.

By: Tom

Tom — Wed, 28 Nov 2007 17:12:28 +0000

Great article – I’m very happy it doesn’t suggest adding the session ID to the URL as a defense for CRLF, as a gnucitizen article did back in March (Top google hit for CSRF defense).

Great suggestions, and unlike the previous article it does not make the site more succeptible to some attacks in order to harden against CSRF.

By: fatmatt

fatmatt — Wed, 28 Nov 2007 11:45:23 +0000

Thanx!!
It showed very clearly CSRF, i’m already securing my web apps!! :)

By: Josep

Josep — Thu, 22 Nov 2007 21:39:17 +0000

Thanks for this article, I found it very clear and straightforward!

I’ve just started playing with it and found several webs vulnerable. Interesting… :)

By: Mario Heiderich

Mario Heiderich — Wed, 21 Nov 2007 13:01:08 +0000

Thx! I always have difficulties when telling my colleagues during scrum that I worked on the see-es-ar-eff-ex again ;)

Yes – there are several ways to protect against CSRF in very special situations. Such as the password change form as you mentioned. But this article is targeted to create more awareness about the topic itself and about easy to implement solutions.

Keeping XSS out in combination with using tokens is pretty bullet-proof. The CSRFx even takes care of accidental multiple submits since it stores a cloud of tokens for each user depending on session ID and user agent. So there are not many situations left in which such a tool wouldn’t work.

Nevertheless you are perfectly right. It not only the tool but the application and front end logic that can mitigate CSRF holes too. The password change form is perfect example for that – as well as ‘delete profile’ forms and stuff like that.

By: Adrian Pastor

Adrian Pastor — Wed, 21 Nov 2007 12:23:56 +0000

meant to say *reports*

By: Adrian Pastor

Adrian Pastor — Wed, 21 Nov 2007 12:23:16 +0000

Asking for the password again when updating profile info (i.e.: password, name, address) is also a valid protection.

Need to check out CSRFx, I might start mentioning this library in my pentest report. btw, I think it could be pronounced easily: “sea surf X”

Very nice post on one of my favorite subjects.