Tuesday, December 11, 2007

Cross-Site Request Forgery

CSRF Hacking Database & Tutorial
What is CSRF? How does it work?

Well, CSRF is also known as Cross-site request forgery works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls allowing specific actions to be executed when it’s requested. If a user is logged into the site and an attacker will be able to trick their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. The CSRF vulnerability lies in most every Website, but it has remained mostly under the radar for nearly a decade — it’s not even included in the Web Security Threat Classification, OWASP Top 10 or Mitre Corp.’s. One of Indonesian security expert, zoiz even says that CSRF’s able to cause DOS attack against web server by manipulating the amounts of GET request. Well, it’s really horrible…

The only way to prevent yourself to be the victim of CSRF is to keep clearing cookies or ensure you’re properly logged off to all sites before you visit another. (I hope that’s not all)
A Step By Step Tutorial on CSRF can be read here , it’s a very nice walkthrough on CSRF I think. Well, if you’re familiar enough with Google Hacking Database , which is made by Johnny, right now I’ll introduce you the CSRF Hacking Database which is made by hackerswebzine. It’s definitely the same as Google Hacking Database, but it’s specialized on CSRF dorks.

No comments: