Nytro Posted December 28, 2011 Report Posted December 28, 2011 [h=1]DeepSec 2007: The Three Faces of CSRF[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube.Speaker: Martin Johns, University of Hamburg Even though Cross Site Request Forgery (CSRF) vulnerabilities have made it into the OWASP Top 10 [1], this vulnerability class is still often ignored and almost always belittled. While in 2006 alone 1282 XSS vulnerabilities were collected by the CWE project, only 5 (!) CSRF issues were recorded in the same timeframe [2]. This talk will discuss the various existing CSRF attack vectors and exemplify the issues with real world examples: * Executing arbitrary actions on the web application using the attacked user's identity and authentication context * Subverting the company's firewall and exploring the intranet * Leaking sensitive informations via hijacking JSON data Furthermore, we will demonstrate how a simple CSRF exploit can be created semi-automatically in less the 5 minutes. The last quarter of the talk will be devoted to a brief overview on our client side CSRF protection tools RequestRodeo [3] and LocalRodeo [4]. [1] OWASP Top 10: http://www.owasp.org/index.php/Top_10_2007 [2] Vulnerability Type Distributions in CVE: CWE - Vulnerability Type Distributions in CVE [3] RequestRodeo: RequestRodeo [4] LocalRodeo: databasement.netFor more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007To download the video visit: DeepSec 2007 on Vimeo Quote
