You can't secure what you don't acknowledge.SM

Thursday, April 15, 2010

CSRF doesn't matter?? The sky is falling!

Here's a great piece where something I wrote put a grown man with a hacker handle's boxers in a bunch. With all due respect to what Robert has contributed to our field, he is missing the point of my 8 sentence statement about cross-site request forgery (CSRF) not being a top priority. It reminds of me when I wrote about Changes coming to the OWASP Top 10 in 2010. [Boy, some of the "leet" in our field get cranky in a hurry when you say anything that's contrary to their experience!]

What I said was based on what I'm seeing in my work I don't think CSRF is as big of a deal - or perhaps I should say as top of a priority - as some of the vendors and Top 10 lists characterize it.

Sure, CSRF is still an issue...but what's the context? What's the perspective? What systems or sensitive information are being placed at risk? How does it affect the business? Based on what I see it's just not there and when it is, it's usually not as big of a deal as many of the other Web security gaffes we really should be focusing our efforts on.

Robert's blind railing against what I said is overlooks my consistent rants I have about NOT relying on tools to find security flaws like what I wrote about here and here and here and here and here. But who am I to question things...

It's so funny how some people worry about picking knits when there's an elephant in the room. It's all about priorities folks - we have to prioritize things and focus on the urgent and the important. If you find CSRF that's creating an urgent situation, then you better address it quick! Likewise with XSS, SQL injection, weak passwords, authentication mechanism flaws, and so on. But you've got to focus on what matters to your business in the context of your business - not just what some vendor, Top 10 list, or blogger says is important. Every situation - every application - is different.

There's something about our field - I've met many people over the years who like to find any flaw they can that's even remotely exploitable - regardless of whether or not it really matters in the grand scheme of things - and make a big deal out of it to justify their expertise and their existence. Given all the issues we face in information security today, that approach just doesn't add up.


  1. CSRF can be used to force the submission of any form that is not protected from it. Since business websites generally have all of their functionality tied to the submission of forms, CSRF affects all functionality of the site. In essence, a site that is vulnerable to CSRF has no authentication or authorization on its forms, therefore on its functionality. Your statements above are equivalent to saying that allowing an attacker to take any action for any user is not a high priority to fix.

  2. Dear "Anonymous":

    You're absolutely right! But you're still not getting my point...If it's there and it's causing a problem fix it! Yes, I said FIX IT! The problem is it's *rarely* there...

  3. The only time it isn't there is when there are no forms, thus no functionality. If they application doesn't do anything, then I would agree that CSRF is rarely there. However, aside from homepages about my puppy, most web applications have forms and actually do stuff. Since that is the case, and CSRF can take advantage of any form, I would say that it is extremely common.

    Your argument that CSRF is rare has to either be that CSRF can't be used to attack every form, or that sites don't really do important functionality related to form submissions. Which is it?

  4. I have a hard time believing that the conditions for CSRF are only "rarely" present. Would you not automatically consider an unauthorized user being able to submit data to a server, to be a risk that needs to be addressed? If this is a low-risk situation, what is the purpose of including authentication/authorization in the first place?

    Sure, there are always a lot of risks and we have to prioritize the remediation, but I believe CSRF is rightly considered to be a high-priority threat.

  5. So it's on every form of every site/app out there...amazing. I never said it's not a serious threat. There are lots of variables. For some reason we're just not on the same wavelength here...

  6. So it's a serious threat on every site, but it's not a top priority? Come on, don't bullshit me.

  7. "Anonymous" I'm not going to get started in a urination match with you nor dignify your comment with a response.

  8. Kevin. I'm not a troll and I'm not trying to get into a urination match with you. If you have a justification for your claim, we all want to hear it. If you don't, we want to hear that too. If you're just trying to save face after making a false claim, we would like to hear that too.

    Please justify your claims, or tell us what wavelength you are on.

  9. I'm going to reiterate what I've already said and then move on:

    1) I don't see CSRF everywhere (unlike some others do).

    2) I rarely see CSRF.

    3) When I do see it I take everything into consideration (perspective, context, authentication required or not, critical system or not, and so on).

    4) CSRF *can* be a serious all depends (see # 3).

    5) Every application is different.

    6) Security is very complex and it's not binary - there are always variables, opinions, politics, and so on that will muddy the waters.

    7) If you want good results with security you focus on your highest payoff tasks. Maybe it's CSRF, maybe it's not.

    8) Everyone is entitled to be the security professional they want to be and give the security opinions they want to give.

    End of story...

  10. Here's some further clarification to my original TechTarget Ask The Expert post about CSRF along with a link to a CSRF article I wrote a few months back:,289625,sid92_gci1507486,00.html

  11. The link above is supposedly going away. Here's a new post that explains along with the content of my original post and my recent update:

  12. Perhaps I am missing something here, but I agree with Beaver. What is the value of CSRF if you don't have the ability to force the victim to log-in to the target? And how would you obtain this ability? It seems obvious that you either have to (1) have an account with the server; (2) have a trojan running on the victim's machine so you can monitor their status; (3) take a chance that the victim will be logged in at any random time. It is certainly something that bears watching but not of the magnitude that some suggest.