OWASP AppSec Europe 2009 location:Poland date:13-14 May 2009
Cross-Site Request Forgery (CSRF) is a well known attack in which a malicious webpage instructs the victim's browser to send out requests to legitimate sites on behalf of the victim, while piggybacking on the authorized sessions of the victim. CSRF attacks are typically transparent for the victim, and for legitimate websites it is hard to differentiate between requests initiated by the victim, and requests initiated by the malicious webpage.
Although this type of vulnerability is already known for about a decade, CSRF recently gained much more attention because of its impact on contemporary e-society. In November 2007, a vulnerability in GMail was exploited to forward incoming mails of the victims to an arbitrary account. In October 2008, Zeller and Felten published a technical report, describing CSRF attacks on four larger websites, including NYTimes.com and INGDirect.com .
Several mitigation techniques are already developed, both for protecting the client as well as the legitimate server. In this presentation, I will give an overview of the possible mitigation techniques and discuss several of the proposed solutions.