Inviting Targets

By Lisa Vaas  |  Posted 2007-07-03 Print this article Print

Prevalence of this vulnerability, Williams said, is "staggering." While a small number of sites protect against it, including Wikipedia and some blog software, a "vast amount of applications" are susceptible, Williams said—"no doubt about it." CSRF has actually been boosted to OWASPs Top Ten list of most common and/or highest-risk Web application security flaws. CSRF, Williams said, is both common and of high risk, in spite of its low potential for success. Heres a description of what a CSRF can do, quoted from an FAQ on CGI Securitys site:
"Most of the functionality allowed by the website can be performed by an attacker utilizing CSRF. This could include posting content to a message board, subscribing to an online newsletter, performing stock trades, using a shopping cart, or even sending an e-card. CSRF can also be used as a vector to exploit existing Cross-site Scripting flaws in a given application. For example imagine an XSS issue on an online forum or blog, where an attacker could force the user through CSRF to post a copy of the next big website worm. An attacker could also utilize CSRF to relay an attack against a site of their choosing, as well as perform a Denial Of Service attack in the right circumstances."
Trend Micro introduces a security appliance to protect e-mail networks. Click here to read more. CSRF is often confused with the ubiquitous, well-known class of XSS (cross-site scripting) attack. They differ in that XSS relies on a victim to trust that the content displayed in a browser is legitimately being displayed by the site being viewed. Conversely, CSRF takes advantage of sites that trust the legitimacy of a request from a browser user. Regarding the wider world of Web browsers, there are vulnerable sites of substantial size. Heres an example of an attack on Digg. Heres another example of an attack on, and yet another example of an attack on Googles AdSense. The Amazon flaw has been open for over a year, according to Chris Shiflett, lead of the Web application security practice at OmniTI, in Columbia, Md. Shiflett discovered the Amazon CSRF flaw on March 15, 2006. Amazon verified the vulnerability and told Shiflett it was a "top priority," but a year later it was still open., headquartered in Seattle, declined to comment on the matter, citing a policy against speaking about security concerns. Google, based in Mountain View, Calif., also declined to comment on the AdSense vulnerability. The idea of a CSRF against a UTM is "a bit of a niche attack," Hoffman said, given the low percentage of the population who have access to such devices. "I have to get the IT administrator at [a company] to visit a site, and oh, he has to have cached credentials in the form of cookies or log-in credentials for, say, a firewall or IDS [intrusion detection system] or routers. "… In terms of the percentage of the population, those who have access, SPI has 150 people, and we have four or five folks who can potentially access [a given security device]. Thats less than 3 to 4 percent of the population whod have access." Plus, Hoffman said, an attacker would have to luck out and strike when an IT administrator happened to be logged in to the Web browser of the target UTM device. The chances are low that an attacker would stumble upon many such situations, but the risk to an organization if the attacker did so would be very high, Hoffman said. Click here to read about how security appliances are supposed to support regulatory compliance. The spokesperson of one of the vendors of potentially vulnerable UTM devices pointed out its not as if these devices have IP addresses that are broadcast publicly. Many are internal, nonroutable IP addresses. With such devices, an attack would have to be based on guesswork. Still, its not as if the number of IP addresses were infinite, said Scott Parcel, vice president of engineering and chief technology officer at Cenzic, in Santa Clara, Calif. "Its a numbers game with these kinds of attack," he said. "If you lure a million people to do something, some percent will do what you want them to do, and a smaller percent will [be on a vulnerable system]," he said. And then there are default passwords. And last but not least, an attack could come from a disgruntled employee or an ex-employee who knows a devices IP address. "The idea of treating the addresses of these [UTM devices] as being a secret, as a protection—that doesnt sound like the level of protection Id like to see," Parcel said. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel