[Owasp-ireland] A real bank with a CSRF flaw!

davidrook david.rook at realexpayments.com
Tue Sep 30 10:39:18 EDT 2008


Just out of interest does anyone know of any automated way of testing
for CSRF?

I understand the kinds of steps needed to prevent it but I wondered if
there are any automated ways to detect this yet or is it still a manual
approach?

Dave

Eoin wrote:
> Great Dave,
> We covered this at the last meeting. if anyone needs the slides please drop
> me a line.
> also the code review guide covers CSRF from a code perspective and have a
> nice flow chart.
>
> ek
>
>
>
> 2008/9/30 davidrook <david.rook at realexpayments.com>
>
>   
>> Hi all,
>>
>> Interesting news story here:
>> http://www.theregister.co.uk/2008/09/30/web_bug_bites_sites/ thats
>> details how researchers from Princeton University found CSRF flaws in 4
>> websites including ING's bank website. The whitepaper that is linked in
>> the article is a good read and explains CSRF flaws and preventions very
>> well.
>>
>> Finally the example many people use (transferring funds from an online
>> bank using CSRF) to highlight the dangers of CSRF has become a reality.
>>
>> Thanks,
>>
>> Dave
>>
>> --
>> David Rook | david.rook at realexpayments.com
>> Security Analyst
>>
>> Realex Payments
>> Enabling thousands of businesses to sell online.
>>
>> Realex Payments, Dublin, www.realexpayments.com
>> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
>> Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
>>
>> Realex Payments, London, www.realexpayments.co.uk
>> 1 Hammersmith Grove, London W6 0NB, England
>> Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
>>
>> Pay and Shop Limited, trading as Realex Payments has its registered office
>> at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
>> registered in Ireland, company number 324929.
>>
>> This mail and any documents attached are classified as confidential and
>> are intended for use by the addressee(s) only unless otherwise
>> indicated. If you are not an intended recipient of this email, you must
>> not use, disclose, copy, distribute or retain this message or any part
>> of it. If you have received this email in error, please notify us
>> immediately and delete all copies of this email from your computer
>> system(s).
>> --
>>
>>
>> _______________________________________________
>> Owasp-ireland mailing list
>> Owasp-ireland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>
>>     
>
>
>
>   

-- 
David Rook | david.rook at realexpayments.com
Security Analyst

Realex Payments
Enabling thousands of businesses to sell online.

Realex Payments, Dublin, www.realexpayments.com
Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538

Realex Payments, London, www.realexpayments.co.uk
1 Hammersmith Grove, London W6 0NB, England
Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264

Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is registered in Ireland, company number 324929.

This mail and any documents attached are classified as confidential and
are intended for use by the addressee(s) only unless otherwise
indicated. If you are not an intended recipient of this email, you must
not use, disclose, copy, distribute or retain this message or any part
of it. If you have received this email in error, please notify us
immediately and delete all copies of this email from your computer
system(s). 
--




More information about the Owasp-ireland mailing list