[Owasp-leaders] CSRF

Jeremy Long jeremy.long at owasp.org
Wed May 29 13:14:59 UTC 2013


Additionally, in the cat and mouse game that is application level DDoS -
putting a CSRF on a login page ups the work factor the attacker is required
to perform to abuse the login page. Yes, this is a solvable problem from
the attackers point of view; but depending on how it is done you do
increase the work factor so an attacker might look at a different part of
your public site to DOS.

--Jeremy


On Wed, May 29, 2013 at 3:49 AM, Giorgio Fedon <giorgio.fedon at owasp.org>wrote:

> Hi all,
>
> This is my opinion
>
> CSRF attacks are "blind" type of attacks, are effective if cause a
> change of state.
> Typically CUD operations, create update delete and not read operations
> are subjected to CSRF.
> Read operations ca be accessed sometimes in a way similar to CSRF, but
> they need other issues to be abused like Javascript Hijacking was one of
> those.
> Login operations are needed to authenticate the user, and after a
> correct login the user changes his state from anonymous to
> authenticated, and that change of state is typically written in db or to
> some applicative storage.
>
>
>
> On 05/29/2013 01:53 AM, Dave Wichers wrote:
> > It deserves being explained in the OWASP article on CSRF. This is a bit
> too
> > detailed for the 1 page we have on each Top 10 item in my opinion.
> >
> > -Dave
> >
> > -----Original Message-----
> > From: owasp-leaders-bounces at lists.owasp.org
> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
> > Sent: Tuesday, May 28, 2013 6:28 PM
> > To: Gunnar Peterson
> > Cc: OWASP Leaders
> > Subject: Re: [Owasp-leaders] CSRF
> >
> > Is this explained properly in the new top 10?? I don't recall seeing
> this.
> >
> >
> > Eoin Keary
> > Owasp Global Board
> > +353 87 977 2988
> >
> >
> > On 28 May 2013, at 23:24, Gunnar Peterson <gunnar at arctecgroup.net>
> wrote:
> >
> >> three things come to mind
> >>
> >> 1. if you have a large enough pool of users and want to brute force
> >>
> >> 2. or simply try and lock out a bunch of users, and force them to a
> weaker
> > scheme (questions) that you can wedge into
> >> 3. if the site caches creds somewhere and you can reinstantiate that way
> >>
> >> -gunnar
> >>
> >>
> >>
> >> On May 28, 2013, at 5:17 PM, Eoin wrote:
> >>
> >>> Does CSRF ing a login page make sense to anyone :)
> >>>
> >>>
> >>> Eoin Keary
> >>> Owasp Global Board
> >>> +353 87 977 2988
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> --
> | Giorgio Fedon, Owasp Italy
> |
> | In Input Validation
> |            and Output Sanitization,
> |                                   We Trust
> --
> | Web: https://www.owasp.org/index.php/Italy
> |_____________________________________________.
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130529/a95f0d3c/attachment.html>


More information about the OWASP-Leaders mailing list