|
General
|
|
Written by Daniel
|
|
Saturday, 21 July 2007 06:41 |
New Tool Eases CSRF Bug Discovery
— Kelly Jackson Higgins, Senior Editor, Dark Reading
JULY 20, 2007 | If you think Cross-Site Request Forgery (CSRF) vulnerabilities aren't easy to find or exploit on your Website, think again. A researcher has released a tool that makes it easier to test sites for CSRF vulnerabilities -- and find out how prevalent the emerging bugs really are.
The online tool lets you use the HTTP "post" request to check for CSRF bugs. Chris Shiflet, principal with OmniTI and creator of the newly released CSRF Redirector tool, says there's a misconception among Web developers that testing for CSRF bugs with a "post" request is more difficult or inconvenient, so CSRF attacks using "post" aren't as common as those using an HTTP "get" request.
"I think this can help highlight how easily CSRF vulnerabilities can be exploited, even when the forged request must be a 'post' request," Shiflet says. "Often, inconvenience is considered a safeguard" for a site, but that's not really the case.
It's easier to test for CSRF bugs with a "get" request because visiting a URL initiates such a request, while a "post" requires the tester to build an HTML form, Shiflet says. "So any bug that can be exploited with 'get' is easy to test for," he says. "It's marginally less convenient with 'post,' so this [tool] is trying to remove that slight barrier of inconvenience."... More
|
