CSRF: Yeah, It Still Works

Presented at DEF CON 17 (2009), Aug. 1, 2009, 11 a.m. (50 minutes)

Bad News: CSRF is nasty, it's everywhere, and you can't stop it on the client side. Good News: It can do neat things. CSRF is likely amongst the lamest security bugs available, as far as "cool" bugs go. In essence, the attack forces another user's browser to do something on your behalf. If that user is an authenticated user or an administrator on a website, the attack can be used to escalate privilege. We've identified an endless stream of applications, platforms, critical infrastructure devices, and even wormable hybrid attacks, many of which require little or no Javascript (XSS). The key takeaway is this: a vulnerability that is so easily prevented can lead to absolute mayhem, particularly when bundled with other attacks. Worse still, identifying the attacker is even more difficult as the attack occurs in the context of the authenticated user. The presentation will discuss a variety of attack scenarios, as well as suggested mitigation.

Presenters:

• Mike Bailey / mckt - ASS   as Mike "mckt" Bailey
  Mike "mckt" Bailey ASS, is a security researcher. He leads a small team of web application auditors and is the CISO for a smallish-but-fast-growing web development firm. He thinks writing policy is nice, but prefers breaking things to fixing them. Mike irregularly posts on his blog at skeptikal.org. The fragility of the web scares him.
• Russ McRee - ASS
  Russ McRee, ASS, is a security analyst / researcher. As an advocate for a holistic approach to the practice of information assurance, Russ maintains holisticinfosec.org, where he conducts constant vulnerability and malware research. A frequent speaker at industry events, including FIRST and RAID , Russ also writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, SysAdmin, and OWASP. Russ is listed as the 8th ranked vulnerability discoverer of 2008 by IBM ISS and 11th over-all by OSVDB.
• Mike Bailey / mckt   as Mike Bailey

Links:

• https://defcon.org/html/defcon-17/dc-17-speakers.html#Bailey
• https://infocon.org/cons/DEF CON/DEF CON 17/DEF CON 17 video and slides/DEF CON 17 - Mike Bailey and Russ McRee - CSRF Yeah it Still Works - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=AzMAhki7HEU

Similar Presentations:

• AppSec USA 2013 / CSRF: not all defenses are created equal
• DEF CON 25 (2017) / Wiping out CSRF
• DEF CON 16 (2008) / CSRF Bouncing†