PDA

View Full Version : Online Banking & CSRF (Cross Site Request Forgery)


davidh
January 3rd, 2007, 01:08 AM
"It is rather hard to avoid these bugs and expect more of them to be found. It is best practice to log out of sites (in particular banking sites) once you no longer need the content. This will limit the attack window for the most dangerous CSRF attacks. Limited use of javascript (should I mention the NoScript extension to Firefox again?) will help as well. But ultimately, this is an issue that has to be fixed by the website."

http://isc.sans.org/diary.php?storyid=1995&rss

DH

Judy G. Russell
January 3rd, 2007, 06:22 PM
I love this part of the report: "This is actually a "Cross Site Request Forgery" (CSRF), not a "Cross Site Scripting" attack. Google had the bug fixed by the time the issue was made public."

davidh
January 3rd, 2007, 08:35 PM
I love this part of the report: "This is actually a "Cross Site Request Forgery" (CSRF), not a "Cross Site Scripting" attack. Google had the bug fixed by the time the issue was made public." But there are OTHER pages on Google which may NOT have been fixed yet. And from what ISC/SANS says, etc. there are probably MANY other "secure" sites in other domains which are susceptible.

BTW, the latest hole in Adobe Reader plug-in for browsers is apparently MUCH easier to exploit and more dangerous. Didn't save the URL, but it's pointed to by Internet Storm Center, etc.

:(

DH

Judy G. Russell
January 4th, 2007, 10:31 AM
But there are OTHER pages on Google which may NOT have been fixed yet. And from what ISC/SANS says, etc. there are probably MANY other "secure" sites in other domains which are susceptible.Yeah, but that's not Google's fault. It's reassuring that one big Internet company understands the need to plug problems promptly.

BTW, the latest hole in Adobe Reader plug-in for browsers is apparently MUCH easier to exploit and more dangerous. Didn't save the URL, but it's pointed to by Internet Storm Center, etc. :(:( Indeed. You'd think -- or at least hope -- Adobe would be rushing to fix that.