A Brief Return to CSRF

Attention to CSRF seems to ebb and flood against the popularity of yet another XSS or SQL injection. Here’s some insight1 into the projects I work on related to web scanning, specifically how some kinds of CSRF detections can be automated.

CSRF detection definitely falls into the “hard” category of automation. The Book discusses CSRF in Chapter 3. You may also be interested in reading the excellent Stanford Web Security Research papers on the topic.2

CSRF is a complex topic that engenders a lot of strong opinions on risk, exploitation, and what constitutes a vuln. A few months ago I wrote on the broader aspects of web security and how they do or do not relate to CSRF.

Since July was a rather dry period for updates here, I’ll take August to dive into some of the ways automated CSRF detection succeeds and which approaches are doomed to fail.


1 https://community.qualys.com/blogs/securitylabs/2011/08/10/the-was-approach-to-csrf
2 http://seclab.stanford.edu/websec/csrf/
3 http://www.deadliestwebattacks.com/2011/04/csrf-and-beyond.html

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s