CSRF Detection (523 Views)
Reply
Advisor
coakley
Posts: 22
Registered: ‎03-01-2011
Message 1 of 6 (523 Views)

CSRF Detection

Hi

 

I've noticed that since WI added the CSRF module, it almost always flags login forms as CSRF vulnerable.  The post data for such HTTP requests typically has &password=foo, so am I right in thinking that this is a false positive?  While the form may be technically susceptible to CSRF, it requires the password to execute, in which case I don't see how tricking someone into logging in (and potentially then taking other actions) is valid CSRF when you already have the password and could just login as them and go wild.

 

I just want to make sure my assumption here is correct and that I'm not missing something.

 

Regards

 

Chris

Advisor
NicFletcher
Posts: 24
Registered: ‎03-09-2011
Message 2 of 6 (523 Views)

Re: CSRF Detection

Chris,

 

The CSRF engine does a variety of CSRF attacks, only a subsection of which requires actually logging into the site.  So though it may still be a false positive, there still is a very good chance that the CSRF engine is finding issues with your site.

 

Regards,

 

Nic

Advisor
coakley
Posts: 22
Registered: ‎03-01-2011
Message 3 of 6 (523 Views)

Re: CSRF Detection

What I've found is that a false positive for CSRF forgery on a login form often yields actual CSRF when I manually start prodding around the rest of the website, so it's still useful as a "look over here" flag.  I just wanted to make sure that the scenario WI flags up CSRF for the most, login.php?user=foo&pass=bar, isn't anything of note because you'd need the password to execute that attack, rendering it pointless.  Once you're authenticated, if further URLs can cause other actions to be processed by the server, that is of course a different issue.

Advisor
NicFletcher
Posts: 24
Registered: ‎03-09-2011
Message 4 of 6 (523 Views)

Re: CSRF Detection

I believe you are correct.  I talked to the engineer who created the CSRF engine, and he says that if a site is vulnerable, the engine will flag both the login page and the restricted pages it found the vulnerability on.

Occasional Visitor
lizgreer
Posts: 1
Registered: ‎03-15-2011
Message 5 of 6 (523 Views)

Re: CSRF Detection

Hi,

 

I have also seen this issue with a CSRF reported against just my login page.

 

Will this issue be corrected in WebInspect 9.0?  Or will it be in a later release?

 

Thanks,

 

Liz

Advisor
NicFletcher
Posts: 24
Registered: ‎03-09-2011
Message 6 of 6 (523 Views)

Re: CSRF Detection

I have gone back to the engineer for clarification on this matter, since there seems to be a lot of confusion in this area.  Though logically, having CSRF flag on the login page may appear to be a false positive, because the login page is not in a restricted area, there is a specific CSRF case that allows an attacker to trick a user into loging in as the attacker.  We are updating the vulnerability write-up in WebInspect to reflect this.  Hopefully this will clear up confusion in the future.

 

For more information:

 

http://seclab.stanford.edu/websec/csrf/

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.