(Note that CSRF is not to be confused with cross-site scripting, or XSS. Theyre distinctly different.)
Before I continue, however, let me just say that I seriously dont consider myself a FUD guymeaning, Im not one to try to scare my readers or customers into submission using Fear, Uncertainty, and Doubt. I prefer instead to rely on facts and, when asked, opinions and recommendations. But Im always explicitly clear about which Im talking about.
That said, CSRF is a big deal. This is not a fire drill. It affects a huge percentage of todays Web applications. Numbers are not yet clear, but there are some estimates as high as 80-90% of todays Web apps are affected by CSRF. Perhaps more to the point, though, when a CSRF vulnerability is exploited, the attacker has access to all the information and functions accessible to the victims account. If the victim can transfer money (to the attackers account), the attacker can transfer money, and without the victims consent or knowledge. No kidding.
So just what is a CSRF vulnerability and what makes it so heinous? Heres the scenario: youre logged into a Web site, or the site has placed a remember me cookie in your browser. While the session or cookie is active, you receive an unsolicited email thats either directly or indirectlyvia, for example, a spambot networkfrom the attacker. The email is HTML formatted, and includes an image tag, which is an instruction to the HTML renderer to grab an image from another site, normally via a URL pointing to a graphics file.
But this image tag doesnt contain a harmless pointer to an image file. Instead, it contains an explicit URL pointing the HTML rendering engine off to the site you were logged into back in your browser. (Remember, the email comes in while youre logged in.)
We Need to Rethink PC Security Software
Spam Wars: When Good Geeks Say Bad Things
You've Got Spam: The New Field of Reputation Management
Guide to Hotspot Safety|
The request to the web site youre logged into gets doled out to the HTML subsystemnormally your browser. But your browser knows you have a session open on that site, and it gleefully sends along your session credentials (e.g., JSESSIONID, active cookies). Now, the really nasty bit That image request has embedded in it an explicit set of instructions to your Web site that instruct it to, for instance, transfer funds, change your password, send your login credentials to the attacker, or some other unpleasant function.
Its real. Weve already seen CSRF attacks that do some fairly straight forward things, that Id consider as proof of concept code to validate the effectiveness of CSRF. To name a couple examples, Netflix had a CSRF flaw that enabled an attacker to add a movie to the victims movie queue and place it at the front of the line. (That could result in some interesting discussions with your spouse ) Google had a CSRF flaw that enabled an attacker to change the victims default language to Klingon (or any other language, for that matter).
Weve also seen published examples of CSRF flaws being used to change the configuration of popular routers. (Does the device at 192.168.1.1 on your network have a username/password of admin/admin?) But these are just childs play compared to what CSRF is really capable of.
CSRF first really came to my attention when the Open Web Application Security Project (OWASP) published its 2007 top 10 list of security defects. Unlike all other defects on previous OWASP top 10 lists, however, CSRF was put on the list in advance of statistical verification. This was done because the OWASP team felt strongly that CSRF is real and urgently needs to be fixed as soon as possible.
Fortunately, the OWASP folks didnt stop there. Theyve also released the CSRF Guard, which is an open source Java J2EE class library that provides simple and effective protection against CSRF vulnerabilities.
The way the OWASP CSRF Guard works is to include a randomly generated and unpredictable token in each web page, in the form of a hidden HTML field. This allows valid browser requests to pass, but blocks CSRF requests in their tracks, since they dont have access to this token.
The CSRF Guard is not just simple and effective, its free. Kudos to the good folks at OWASP for making this available. And, similar solution sets are available or being developed in other programming languages as well.
So, CSRF is a nasty little vulnerability with potentially very large impacts on vulnerable web site. But its also easy to safeguard against. Theres just no excuse for a Web site to remain vulnerable to them. Left unfixed, CSRF issues provide the attacker with a direct avenue of attack to your customers.