CSRF: Yeah, It Still Works

CSRF: Yeah, It Still Works

Bad News: CSRF is nasty, it's everywhere, and you can't stop it on the client side.

Good News: It can do neat things.

CSRF is likely amongst the lamest security bugs available, as far as "cool" bugs go.

In essence, the attack forces another user's browser to do something on your behalf.

If that user is an authenticated user or an administrator on a website, the attack can be used to escalate privilege.

We’ve identified an endless stream of applications, platforms, critical infrastructure devices, and even wormable hybrid attacks, many of which require little or no Javascript (XSS).

The key takeaway is this: a vulnerability that is so easily prevented can lead to absolute mayhem, particularly when bundled with other attacks. Worse still, identifying the attacker is even more difficult as the attack occurs in the context of the authenticated user.

The presentation will discuss a variety of attack scenarios, as well as suggested mitigation.

Presented by