How to detect CSRF vulnerability, reliably?

Presented at AppSec USA 2017, Sept. 22, 2017, 1:30 p.m. (45 minutes)

CSRF vulnerability is one among the OWASP top 10 and detection of this vulnerability in web applications has proved to be a difficult problem. Most dynamic application security testing tools provide the option of scanning for CSRF vulnerability, however their reports are often plagued with either false positives or false negatives making them quite unreliable. In this presentation we will analyze the general approach taken by the tools for CSRF vulnerability detection and identify the reasons behind their failures. Then we propose a new programmatic approach to scan for CSRF vulnerability that overcomes these shortcomings. We will demonstrate that this approach is not only simple and reliable but also can easily be integrated with automated testing for application security.

Presenters:

• Umesh Salian
  Umesh Salian is part of Cybersecurity Architecture team of Discover Financial Services, currently focused on automation of (Static and Dynamic) Application Security Testing in CI/CD pipeline. He has prior experience of 15 years as Java/J2EE developer before joining Cybersecurity about 18 months ago.

Links:

• https://appsecusa2017.sched.com/event/BN2L/how-to-detect-csrf-vulnerability-reliably
• https://infocon.org/cons/OWASP/AppSecUSA 2017/How to detect CSRF vulnerability, reliably.mp4
• https://www.youtube.com/watch?v=ATHAnd3RMOw

Similar Presentations:

• AppSec USA 2013 / CSRF: not all defenses are created equal
• DEF CON 16 (2008) / CSRF Bouncing†
• DEF CON 25 (2017) / Wiping out CSRF