(Cross-Site Request Forgery) An online forgery that requires knowledge of which Internet-based institutions a person deals with. It is used to steal money or obtain valuable data such as credit card numbers. Also called an "XSRF," "sea surf" and "confused deputy attack," the CSRF is embedded in a fake link or bogus script on a Web page. In either case, the browser executes a malicious transaction such as a wire transfer to the cybercrook's bank.
The CSRF exploit only works if the user is already logged onto the institution's Web site that is being targeted or has recently logged on, in which case a stored cookie used for authentication may still be active. See XSS.
The CSRF exploit only works if the user is already logged onto the institution's Web site that is being targeted or has recently logged on, in which case a stored cookie used for authentication may still be active. See XSS.
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2008 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- Webmail and traditional e-mail face different threats
- This week's attack on Sarah Palin's e-mail account highlights how the same application could have very different threat models depending on the technology used. While this is a general issue for all Software-as-a-Service offerings versus traditional desktop packages, let's focus on just e-mail for now. Let's first step...
- Blog posts 2008-09-18
- DEFCON 16: List of tools and stuff released
- Guest editorial by Rob Fuller DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly...
- Blog posts 2008-08-18
- Black Hat Las Vegas Day 2
- Again, sorry for the late updates. Vegas is the kind of place that demands a lot of a person. Too many parties make it difficult to find time to blog on the conference. Pictures of the even are a bit sparse, due to consistently forgetting to bring my camera, but...
- Blog posts 2008-08-09
- News to know: Apple patch; IBM; PC upgrades; EDS; Yahoo
- Notable headlines: Ryan Naraine: Apple finally ships DNS flaw fix, patches 16 other Mac OS X holes Nate McFeters: Black Hat talk on Apple encryption flaw pulled Black Hat Sneak Preview Larry Dignan: IBM plans building spree: To build $360M...
- Blog posts 2008-08-01
- CSRF vulnerability allows Twitter 'follow' abuse
- CSRF vulnerability allows Twitter 'follow' abuseSo?Another worm, anyone? These types of social-networking sites all suffer from the same kind of problems. They allow lots of interfaces thereby exposing themselves to many attack vectors and we wonder why it happens?There are surely more than this out there, for Twitter,...
- Discussion threads 2008-07-31
- Twitter vulnerability forces auto-follow
- Ryan Naraine over at ZDNet's Zero Day has the scoop on a new CSRF vulnerability in Twitter that forces users to follow a supposed attacker. While Naraine viewed the POC of this vulnerability no technical details were yet shared -- and Twitter has been notified -- but this is a...
- Blog posts 2008-07-31
- CSRF vulnerability allows Twitter 'follow' abuse
- Last week, TechCrunch's Jason Kincaid wrote about an obvious Twitter vulnerability that allowed a user called "johng77536" to game the popular micro-blogging service to add thousands of followers subscribers in a short period of time. The "johng77536" account has since been disabled but a security researcher tracking...
- Blog posts 2008-07-31
- Kaminsky suggests long-term fix will still have to be determined, but patch now, or pay soon
- Kaminsky suggests long-term fix will still have to be determined, but patch now, or pay soonTTLSomething I wish I'd asked during the webcast and which I can't quite get my head around:It was said that setting a long TTL doesn't help because of the way delegation works - has to...
- Discussion threads 2008-07-24
- PCI-DSS 1.1 points to outdated OWASP Top 10
- OK, I'm not going to freak out about this too bad... I've already pointed out enough problems with PCI, but I did find it morbidly entertaining. My good friend Jeremiah Grossman pictured at right blogged today about the PCI-DSS 1.1 section 6.5, which covers "prevention of common coding vulnerabilities in...
- Blog posts 2008-07-02
- 90% of all statistics can be made to say anything... 50% of the time, aka my thoughts on the Verizon report
- ** Update 06/23/2008: I realize I didn't do a very good job of talking about what we're reviewing here. This is in response to the statistics gathered by Verizon related to Forensic Analysis of Data Breaches over a four year span. First off, let me...
- Blog posts 2008-06-22
- DoS Attacks Using SQL Wildcards Revealed
- Yesterday, Ferruh Mavituna of Portcullis released a whitepaper entitled "DoS Attacks Using SQL Wildcards", with some insightful comments on how it's possible to multiply the attack tactics discussed to the point where not even a botnet would be needed to successfully accomplish them. Summary of the paper...
- Blog posts 2008-05-20
- Not scared about Cross-Site Request Forgery? You should be... you're scared of jail aren't you?
- Not scared about Cross-Site Request Forgery? You should be... you're scared of jail aren't you?You are right.I see it updating a few times per month so there are more and more problems found. I will never tell anyone they are absolutely secure (ok, not networked, you are...
- Discussion threads 2008-03-20
- Not scared about Cross-Site Request Forgery? You should be... you're scared of jail aren't you?
- Robert Hansen aka R-Snake has posted a very interesting article today over at his blog. As R-Snake states: Whelp, we've talked about it, but now it's finally possible. CSRF can now cause jail time. The FBI has begun arresting people who click on links to supposed child pornography. Now,...
- Blog posts 2008-03-20
- Are Routers the Next Big Target for Hackers?
- I've recently seen a great Black Hat presentation by Felix FX Lindner (see pic 2) and a blog posting by Petko D. Petkov PDP (see pic 1) on the subject of hacking routers. What seems to be clear is that they are becoming a bigger target. PDP, of the gnucitizen group, recently...
- Blog posts 2008-03-04
- Snom VoIP phone vulnerability enables phone history theft, addy book poisoning, and more
- Fellow VoIP blogger and multi-skilled polymath Tom Keating picks up on security consultancy GNUCitizen.org's description of a security vulnerability in snom Technology's model 320 VoIP phone. GNUCitizen, in turn, found this via what they term a "side result" of a router hacking challenge...
- Blog posts 2008-02-12
- Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search Appliance
- [ UPDATE, October 1, 2007: Google has issued a fix for this issue. It's important that you check your filters to ensure your mailbox isn't compromised ] Google's security model is not holding up very well to scrutiny from hackers. In the past few...
- Blog posts 2007-09-25
- Understanding Web-Based Threats and How to Thwart Them
- The Web has never been more hostile and new dangers can lurk on even the most trusted Web sites. What's more, the potential harm that cross-site scripting XSS, cross-site request forgeries CSRF, and JavaScript malware payloads can cause is growing exponentially. Intranet hacking, history stealing, browser port scanning, and dozens...
- Webcasts 2007-09-20
- Google Gears steps up with a developer release
- Google Gears steps up with a developer releaseThis is huge and will allow simple web applications to work offline, BUT,we will need to add a sandboxed high level language running locally to enable the more complicated web applications for offline use. There is only so much you can do with...
- Discussion threads 2007-08-30
- Microsoft patent FUD working against Linux, says new study
- Microsoft patent FUD working against Linux, says new studyHow to fight FUDYour opinion on how to fight FUD is interesting. Your camp says ignore them because it simply give them unnecessary publicity. The other camp says fight it by sending out as information debunking it.Both have merits. One problem with...
- Discussion threads 2007-08-02
- Use the revised OWASP Top Ten to secure your Web applications -- Part 5
- Insecure direct object access and cross site request forgery CSRF are serious flaws found in many Web applications. In fact, some hackers say that there isn't a Web site on the Internet that isn't vulnerable in some way to CSRF. In this, the fifth in a series on the revised...
- Download resources 2007-04-18
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- See how Intel Xeon processors provide data traffic optimization
-
With key platform innovations built-in, the Intel Xeon processor 7400 series offers more headroom, reliability, and the highest expandability for large-scale server consolidation.
- Watch the Flash demo to learn about the Intel® Xeon® processor 7400 series >>
- Printers
- 'Green' Font Cuts Costs and Saves Trees (BNET)
- Three Ways to Save Paper (BNET)
- CNET Reviews printer buying guide (CNET)
- View all printers-tagged content on ZDNet
- Plan B from Brother
- It's the smarter way to work in color Our professional color ink-jet all-in-ones give you more choices, more features, and more value. Make the Smarter Choice. Learn More »
