Hi, all! There is CSRF plugin in w3af [0]. The problem is this plugin is too simple:
"The simplest type of XSRF is checked, to be vulnerable, the web application must have sent a permanent cookie, and the aplicacion must have query string parameters." In most cases it will be better to *not use it* because of a lot of false positive detection errors. Every request inside user's area of web application with params will be detected as vulnerable. I' have decided to improve it (with making some research) and want to discuss with you interesting topic - automation detection of CSRF flaws. My current view of CSRF-detection process is: 1. Does request has cookie (e.g. session cookie)? 2. Does request has CSRF token in query string of POST payload? 3. If request has such token does web app check it? 4. Same with header based protection (Referer/Origin) Interesting points are: * What can we consider as CSRF token? Currently I calculate entropy of it (as for password strength) plus some fast string and dictionary checks * Strict mode on/off - do we need to audit GET requests? Not always... * How to determine that CSRF token is checked? I am thinking about checking of response codes and diffs of responses (like blind SQL injection testing) All experiments will be in separate branch and, hope, in nearest future w3af will detect CSRF flaws much better:) Any comments here? [0] http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/plugins/audit/xsrf.py?view=markup [1] http://w3af.svn.sourceforge.net/viewvc/w3af/branches/csrf/ -- Taras http://oxdef.info ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
