This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top 10 2013-A8-Cross-Site Request Forgery (CSRF)"

From OWASP
Jump to: navigation, search
(Created page with "= TEMPORARY PLACEHOLDER for 2013 T10 = {{Top_10_2013:TopTemplate |usenext=2013NextLink |next={{Top_10_2010:ByTheNumbers |9 |year=2013}} ...")
 
Line 12: Line 12:
  
 
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}
 
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}
{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY}}
+
{{Top_10_2010:SummaryTableValue-2-Template|Exploitability|AVERAGE}}
 
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}
 
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON}}
{{Top_10_2010:SummaryTableValue-2-Template|Detectability|AVERAGE}}
+
{{Top_10_2010:SummaryTableValue-1-Template|Detectability|EASY}}
{{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}}
+
{{Top_10_2010:SummaryTableValue-2-Template|Impact|MODERATE}}
 
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
 
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank.</td>
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider anyone who can load content into your users’ browsers, and thus force them to submit a request to your website. Any website or other HTML feed that your users access could do this.
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
</td>
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. <u>If the user is authenticated</u>, the attack succeeds.
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
</td>
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>blank</td>
+
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>CSRF takes advantage of the fact that most web apps allow attackers to predict all the details of a particular action.
 +
 
 +
Since browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.
 +
 
 +
Detection of CSRF flaws is fairly easy via penetration testing or code analysis.
 +
</td>
 +
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Attackers can cause victims to change any data the victim is allowed to change or perform any other function the victim is authorized to use, including state changing requests, like logout or even login.
 +
</td>
 +
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the business value of the affected data or application functions. Imagine not being sure if users intended to take these actions.
 +
 
 +
Consider the impact to your reputation.</td>
 
{{Top_10_2010:SummaryTableEndTemplate}}
 
{{Top_10_2010:SummaryTableEndTemplate}}
  

Revision as of 18:11, 17 February 2013

TEMPORARY PLACEHOLDER for 2013 T10

NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.

[[Top 10 {{{year}}}-Missing Function Level Access Control|← Missing Function Level Access Control]]
[[Top 10 {{{year}}}-Table of Contents | {{{year}}} Table of Contents]]

[[Top_10_{{{year}}}-Top 10|{{{year}}} Top 10 List]]

[[Top 10 {{{year}}}-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities →]]
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
AVERAGE
Prevalence
COMMON
Detectability
EASY
Impact
MODERATE
Application / Business Specific
Consider anyone who can load content into your users’ browsers, and thus force them to submit a request to your website. Any website or other HTML feed that your users access could do this. Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. If the user is authenticated, the attack succeeds. CSRF takes advantage of the fact that most web apps allow attackers to predict all the details of a particular action.

Since browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.

Detection of CSRF flaws is fairly easy via penetration testing or code analysis.

Attackers can cause victims to change any data the victim is allowed to change or perform any other function the victim is authorized to use, including state changing requests, like logout or even login. Consider the business value of the affected data or application functions. Imagine not being sure if users intended to take these actions. Consider the impact to your reputation.
Am I Vulnerable To 'Cross-Site Request Forgery (CSRF)'?

blank

How Do I Prevent 'Cross-Site Request Forgery (CSRF)'?

blank

  1. blankBullet1
  2. blankBullet2
Example Attack Scenarios

blank

blank code

blank

http://example.com/app/accountView?id=' or '1'='1

blank

References

OWASP

External

[[Top 10 {{{year}}}-Missing Function Level Access Control|← Missing Function Level Access Control]]
[[Top 10 {{{year}}}-Table of Contents | {{{year}}} Table of Contents]]

[[Top_10_{{{year}}}-Top 10|{{{year}}} Top 10 List]]

[[Top 10 {{{year}}}-Using Components with Known Vulnerabilities|Using Components with Known Vulnerabilities →]]

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
[[Category:OWASP Top Ten {{{year}}} Project]]