You can't secure what you don't acknowledge.SM

Friday, April 23, 2010

Re-post of my update on CSRF

I was just informed by my editor at SearchSoftwareQuality.com that they're going to take my Ask the Expert response regarding CSRF (referred to in this post) offline until they've had a chance to review it. In the interest of not letting this fizzle out without people knowing what happened as well as maintaining my stance on the topic and further clarifying what I meant, here's the original question along with my answer and my recent update:

Is cross-site request forgery as big a deal as the vendors make it out to be?
Even with some of the best commercial Web vulnerability scanners, it's very rare that I find cross-site request forgery (CSRF). That doesn't mean it's not there. Given the complexity of CSRF, it's actually pretty difficult to find. The good news is it's even more difficult to exploit CSRF which essentially takes advantage of the trust a Web application has for a user. So, based on what I'm seeing in my work I don't think CSRF is as big of a deal - or perhaps I should say -- as top of a priority as some of the vendors and Top 10 lists characterize it. This doesn't mean you shouldn't use a high-quality vulnerability scanner to look for it. I'm just saying that you likely have many simpler and more obvious problems to uncover and fix first.

UPDATE: In order to clear up some confusion and clarify my statement on CSRF I'd like to expand on my answer:

1. CSRF doesn't exist everywhere. I rarely see CSRF using both automated scanners and manual analysis. Every application is different. Your mileage may vary.
2. If you do find CSRF, it's important to take everything into consideration (context, attack perspective, authentication mechanism used, application logic, level of sensitive information processed by or stored on the system, whether or not the system is Internet-accessible, and so on).
3. CSRF can indeed be a serious threat...as with many things we deal with in IT, it all depends (see #2).
4. You're not going to find every single vulnerability every single time you perform a security assessment of your applications. There are too many variables and complexities. To assume that a one-shot check should/will uncover everything all at once is delusional. This is why we have to perform security assessments on a consistent and ongoing basis using good tools and in-depth manual analysis.
5. Security is very complex. It's not binary. There are always variables and complexities including opinions, politics, culture, and contracts that will muddy the waters to keep you from finding everything and, in turn, being able to do something about everything you find.
6. If you want good results with application security you focus on your highest payoff tasks. Maybe it's CSRF, maybe it's not.

For more details on finding and fixing CSRF flaws, check out my recent tip: Application security checklist: Ways to beat cross-site request forgery.

No comments:

Post a Comment