Security Appliance Vendors Blasé About CSRF Flaws - ' Inviting Targets ' (
Page 2 of 2 )
Prevalence of this vulnerability, Williams said, is "staggering." While a small number of sites protect against it, including Wikipedia and some blog software, a "vast amount of applications" are susceptible, Williams said—"no doubt about it."
CSRF has actually been boosted to OWASPs Top Ten list of most common and/or highest-risk Web application security flaws. CSRF, Williams said, is both common and of high risk, in spite of its low potential for success. Heres a description of what a CSRF can do, quoted from an FAQ on CGI Securitys site:
"Most of the functionality allowed by the website can be performed by an attacker utilizing CSRF. This could include posting content to a message board, subscribing to an online newsletter, performing stock trades, using a shopping cart, or even sending an e-card. CSRF can also be used as a vector to exploit existing Cross-site Scripting flaws in a given application. For example imagine an XSS issue on an online forum or blog, where an attacker could force the user through CSRF to post a copy of the next big website worm. An attacker could also utilize CSRF to relay an attack against a site of their choosing, as well as perform a Denial Of Service attack in the right circumstances."
Trend Micro introduces a security appliance to protect e-mail networks. Click here to read more.
CSRF is often confused with the ubiquitous, well-known class of XSS (cross-site scripting) attack. They differ in that XSS relies on a victim to trust that the content displayed in a browser is legitimately being displayed by the site being viewed. Conversely, CSRF takes advantage of sites that trust the legitimacy of a request from a browser user.
Regarding the wider world of Web browsers, there are vulnerable sites of substantial size. Heres an example of an attack on Digg. Heres another example of an attack on Amazon.com, and yet another example of an attack on Googles AdSense.
The Amazon flaw has been open for over a year, according to Chris Shiflett, lead of the Web application security practice at OmniTI, in Columbia, Md. Shiflett discovered the Amazon CSRF flaw on March 15, 2006. Amazon verified the vulnerability and told Shiflett it was a "top priority," but a year later it was still open. Amazon.com, headquartered in Seattle, declined to comment on the matter, citing a policy against speaking about security concerns. Google, based in Mountain View, Calif., also declined to comment on the AdSense vulnerability.
The idea of a CSRF against a UTM is "a bit of a niche attack," Hoffman said, given the low percentage of the population who have access to such devices. "I have to get the IT administrator at [a company] to visit a site, and oh, he has to have cached credentials in the form of cookies or log-in credentials for, say, a firewall or IDS [intrusion detection system] or routers.
"… In terms of the percentage of the population, those who have access, SPI has 150 people, and we have four or five folks who can potentially access [a given security device]. Thats less than 3 to 4 percent of the population whod have access." Plus, Hoffman said, an attacker would have to luck out and strike when an IT administrator happened to be logged in to the Web browser of the target UTM device.
The chances are low that an attacker would stumble upon many such situations, but the risk to an organization if the attacker did so would be very high, Hoffman said.
Click here to read about how security appliances are supposed to support regulatory compliance.
The spokesperson of one of the vendors of potentially vulnerable UTM devices pointed out its not as if these devices have IP addresses that are broadcast publicly. Many are internal, nonroutable IP addresses. With such devices, an attack would have to be based on guesswork.
Still, its not as if the number of IP addresses were infinite, said Scott Parcel, vice president of engineering and chief technology officer at Cenzic, in Santa Clara, Calif.
"Its a numbers game with these kinds of attack," he said. "If you lure a million people to do something, some percent will do what you want them to do, and a smaller percent will [be on a vulnerable system]," he said.
And then there are default passwords. And last but not least, an attack could come from a disgruntled employee or an ex-employee who knows a devices IP address.
"The idea of treating the addresses of these [UTM devices] as being a secret, as a protection—that doesnt sound like the level of protection Id like to see," Parcel said.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
