The top ten vulnerabilities given by OWASP for the year 2013 is listed in the below link.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectIn Web Application Security Issues, CSRF vulnerability has been in the OWASP top ten for the past 6 years.CSRF can be understood with the below flow.
<img src="http://victimsbank.com/transfer.do?acc=ATTACKERSACCOUNT&amt=10000" width="1" height="1" border="0" />
This is called as CSRF attack. This will be possible if the bank has not taken care of the web application vulnerability issues at the time of coding.
How the victim's bank should have avoided this issue?
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectIn Web Application Security Issues, CSRF vulnerability has been in the OWASP top ten for the past 6 years.CSRF can be understood with the below flow.
- Victim logged in his bank account and authenticated.
- Victim opened another tab, which is an attacker's website.
- There is an image, which says that you got a prize money of 1000$'s.
- Victim got excited and clicked on that image
- The image link was coded as below by the attacker.
<img src="http://victimsbank.com/transfer.do?acc=ATTACKERSACCOUNT&amt=10000" width="1" height="1" border="0" />
- So when the victim clicks on the link, the browser sends the request to the bank's website.
- Since Mr.Victim was already authenticated by the bank's website, the bank approves this transaction.
This is called as CSRF attack. This will be possible if the bank has not taken care of the web application vulnerability issues at the time of coding.
How the victim's bank should have avoided this issue?
- On the form transfer page, add a csrf token.
- This should be send to the server in request each time.
- Now when the attacker's site, try the above URL the token value fails with the server value and the transaction fails.
No comments:
Post a Comment