[ OWASP - Montréal ] XSFR/CSFR testing difficulty level

Benoit Guerette benoit.guerette at gmail.com
Thu Nov 27 22:34:24 EST 2008


I don't know which term to use but I mean Cross Site Request Forgery
(both seems ok).

How do you test XSRF vulnerabilities? From what I can understand,
finding a successful XSRF vulnerabilty need a lot of understanding of
the web application, and lot of time. I don't thing lots of clients
allow huge buffers $ for that kind of test, but it is so important.

Forging a request with the right parameters values for success is very
hard, and result are not always easy to see. Example: XSRF
vulnerability of a bank web apps, allowing you to transfer money to
your 'attacker' account. When you test, you cannot transfer money to
your own account, so you need a friend at the same bank, leaving is
session open and surfing to your 'blog' containing the the forged
request hidden in the image html tags.

My conclusion: XSRF vulnerability is easier and faster to find by
talking to the dev team, asking them specific question (do you use a
token associated with the session to avoid XSFR) to find the
vulnerability?

What did I miss? :) Thanks!

-- 
http://www.linkedin.com/in/benoitguerette


More information about the Owasp-montreal mailing list