Web Application Security is a Stack: How to CYA (cover your apps) completely by Lori MacVittie

Author:Lori MacVittie [MacVittie, Lori]
Language: eng
Format: epub, azw3, mobi, pdf
Publisher: IT Governance Publishing
Published: 2016-06-12T22:00:00+00:00

Figure 7: Example of an encoded XSS attack

Cross-site request forgery (CSRF)

CSRF is less often discussed than its XSS cousin, likely owing to better security models that are able to prevent a significant portion of such attacks, as well as the greater difficulty in carrying one out.

CSRF relies on two separate interactions and generally requires social engineering and careful timing to pull off, as it relies on the user being logged into one site while simultaneously opening some malicious content in another. Attacks have used web-based email, as well as injection, to carry out CSRF attacks, and they are still listed as one of the more common vulnerabilities in most annual reports that track security topics.

CSRF works by using the identity and privileges of the victim as identified by an existing, authenticated session. Basically, it exploits the trust relationship between an authenticated user and the site, to execute illicit transactions. For example, if you are logged into your banking site and open a connection to a second site that contains a CSRF exploit, the second site can essentially hijack your credentials and information from the existing session with the banking site and perform transactions out of sight. Generally, these attacks take advantage of the XMLHttpRequest object that rose to popular usage during the explosion of Web 2.0 sites and AJAX-based applications. This browser object allows ‘hidden’ transactions to be performed using JavaScript, without any interaction, or even knowledge, by the user.

This attack, like XSS, relies on scripting embedded in a web page. This means the attack can be contained within any HTML element in a page, including images and other assumed binary content elements, as well as the commonly exploited iframe element.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.