[Owasp-ireland] A real bank with a CSRF flaw!

Eoin eoin.keary at owasp.org
Tue Sep 30 11:00:28 EDT 2008


Protection:
http://www.owasp.org/index.php/.Net_CSRF_Guard


Grendal Scan claims to do it, but its experimental.
Grendal was released at defcon 2008



2008/9/30 davidrook <david.rook at realexpayments.com>

> Just out of interest does anyone know of any automated way of testing
> for CSRF?
>
> I understand the kinds of steps needed to prevent it but I wondered if
> there are any automated ways to detect this yet or is it still a manual
> approach?
>
> Dave
>
> Eoin wrote:
> > Great Dave,
> > We covered this at the last meeting. if anyone needs the slides please
> drop
> > me a line.
> > also the code review guide covers CSRF from a code perspective and have a
> > nice flow chart.
> >
> > ek
> >
> >
> >
> > 2008/9/30 davidrook <david.rook at realexpayments.com>
> >
> >
> >> Hi all,
> >>
> >> Interesting news story here:
> >> http://www.theregister.co.uk/2008/09/30/web_bug_bites_sites/ thats
> >> details how researchers from Princeton University found CSRF flaws in 4
> >> websites including ING's bank website. The whitepaper that is linked in
> >> the article is a good read and explains CSRF flaws and preventions very
> >> well.
> >>
> >> Finally the example many people use (transferring funds from an online
> >> bank using CSRF) to highlight the dangers of CSRF has become a reality.
> >>
> >> Thanks,
> >>
> >> Dave
> >>
> >> --
> >> David Rook | david.rook at realexpayments.com
> >> Security Analyst
> >>
> >> Realex Payments
> >> Enabling thousands of businesses to sell online.
> >>
> >> Realex Payments, Dublin, www.realexpayments.com
> >> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> >> Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
> >>
> >> Realex Payments, London, www.realexpayments.co.uk
> >> 1 Hammersmith Grove, London W6 0NB, England
> >> Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
> >>
> >> Pay and Shop Limited, trading as Realex Payments has its registered
> office
> >> at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
> >> registered in Ireland, company number 324929.
> >>
> >> This mail and any documents attached are classified as confidential and
> >> are intended for use by the addressee(s) only unless otherwise
> >> indicated. If you are not an intended recipient of this email, you must
> >> not use, disclose, copy, distribute or retain this message or any part
> >> of it. If you have received this email in error, please notify us
> >> immediately and delete all copies of this email from your computer
> >> system(s).
> >> --
> >>
> >>
> >> _______________________________________________
> >> Owasp-ireland mailing list
> >> Owasp-ireland at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-ireland
> >>
> >>
> >
> >
> >
> >
>
> --
> David Rook | david.rook at realexpayments.com
> Security Analyst
>
> Realex Payments
> Enabling thousands of businesses to sell online.
>
> Realex Payments, Dublin, www.realexpayments.com
> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
>
> Realex Payments, London, www.realexpayments.co.uk
> 1 Hammersmith Grove, London W6 0NB, England
> Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
>
> Pay and Shop Limited, trading as Realex Payments has its registered office
> at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
> registered in Ireland, company number 324929.
>
> This mail and any documents attached are classified as confidential and
> are intended for use by the addressee(s) only unless otherwise
> indicated. If you are not an intended recipient of this email, you must
> not use, disclose, copy, distribute or retain this message or any part
> of it. If you have received this email in error, please notify us
> immediately and delete all copies of this email from your computer
> system(s).
> --
>
>
>


-- 
Eoin Keary CISSP CISA
OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20080930/ac525818/attachment.html 


More information about the Owasp-ireland mailing list