CSRF: Yeah, It Still Works

Presented at DEF CON 17 (2009), Aug. 1, 2009, 11 a.m. (50 minutes).

Bad News: CSRF is nasty, it's everywhere, and you can't stop it on the client side. Good News: It can do neat things. CSRF is likely amongst the lamest security bugs available, as far as "cool" bugs go. In essence, the attack forces another user's browser to do something on your behalf. If that user is an authenticated user or an administrator on a website, the attack can be used to escalate privilege. We've identified an endless stream of applications, platforms, critical infrastructure devices, and even wormable hybrid attacks, many of which require little or no Javascript (XSS). The key takeaway is this: a vulnerability that is so easily prevented can lead to absolute mayhem, particularly when bundled with other attacks. Worse still, identifying the attacker is even more difficult as the attack occurs in the context of the authenticated user. The presentation will discuss a variety of attack scenarios, as well as suggested mitigation.

Presenters:

  • Mike Bailey / mckt as Mike Bailey
  • Russ McRee - ASS
    Russ McRee, ASS, is a security analyst / researcher. As an advocate for a holistic approach to the practice of information assurance, Russ maintains holisticinfosec.org, where he conducts constant vulnerability and malware research. A frequent speaker at industry events, including FIRST and RAID , Russ also writes toolsmith, a monthly column for the ISSA Journal, and has written for numerous other publications including Information Security, (IN)SECURE, SysAdmin, and OWASP. Russ is listed as the 8th ranked vulnerability discoverer of 2008 by IBM ISS and 11th over-all by OSVDB.
  • Mike Bailey / mckt - ASS   as Mike "mckt" Bailey
    Mike "mckt" Bailey ASS, is a security researcher. He leads a small team of web application auditors and is the CISO for a smallish-but-fast-growing web development firm. He thinks writing policy is nice, but prefers breaking things to fixing them. Mike irregularly posts on his blog at skeptikal.org. The fragility of the web scares him.

Links:

Similar Presentations: