WebApp Sec mailing list archives

Re: blocking CSRF attacks

From: Daniel Weber <dweber () calyptix com>
Date: Thu, 13 Dec 2007 15:44:17 -0500

any one on the list aware of any IDS/IPS capable of blocking CSRFattacks?
If not, what will be the best policy to block CSRF


One problem with CSRF attacks are that they obey the specs.

Are you looking for a server-side solution?  Or client-side?

If you want a band-aid solution to apply enterprise-wide, your best bet
is probably to check the Referer header.  You need to be aware that
there are some valid reasons that the Referer will not match where the
form is eventually submitted (store.example.com could legitimately
submit a form to checkout.example.com).  And there have been some
implementation problems with Flash and JavaScript that have allowed
attackers to forge the Referer header.  So this may be an entirely
fruitless endeavor.

Another thing is to watch for the outgoing form and the reply.  If
you've never sent the form, you shouldn't get the reply.  This is only
useful in certain circumstances, obviously.  If you apply this trick
client-side you might have more information and be able to come up with
a decent heuristic that correlates that you're dealing with the form
that "looks right" or comes from the "right place," but I'm not sure
that's an arms race that can be won.  Correlating the form with the
submission could be a nightmare.

If you're using HTTPS, your job just became a whole lot harder.
Ironically, those are the probably the most important sessions to
protect.  (There do exist tools that that decrypt the SSL sessions if
you share the server key with them.  This has obvious trade-offs.)

If you're trying to protect all your users client-side, you'll probably
get the most bang-for-the-buck by having them run something like
NoScript everywhere.  It's definitely not perfect, since I can still
submit a POST form if I get the user to click on my hostile "submit" button.

We drew up a list of protection methods that can be done both by
developers and end-users here: http://labs.calyptix.com/csrf-tracking.php


-------------------------------------------------------------------------

Sponsored by: WatchfireMethodologies & Tools for Web Application Security AssessmentWith the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

blocking CSRF attacks Pawan (Dec 12)
- Re: blocking CSRF attacks makkalot (Dec 14)
- Re: blocking CSRF attacks Jan Heisterkamp (Dec 14)
  - Re: blocking CSRF attacks Sverre H. Huseby (Dec 15)
- Re: blocking CSRF attacks Paul Johnston (Dec 15)
  - RE: blocking CSRF attacks Boaz Shunami (Dec 19)
- <Possible follow-ups>
- Re: blocking CSRF attacks Daniel Weber (Dec 14)
- Re: FW: blocking CSRF attacks Paul Johnston (Dec 19)
  - Re: FW: blocking CSRF attacks Martin Johns (Dec 22)
  - Re: FW: blocking CSRF attacks Amit Klein (Dec 22)
  - RE: FW: blocking CSRF attacks Boaz Shunami (Dec 22)