January 23, 2018
Avinash Sudhodanan
Cross-Site Request Forgery (CSRF) attacks are one of the critical threats to web applications. In a CSRF attack, an attacker forces the victim’s web browser to send HTTP requests which benefits the attacker (and/or harms the victim) in some way. In this talk I will be focusing on CSRF attacks targeting web sites’ authentication and identity management functionalities (also known as Authentication CSRF). The possible impacts of Authentication CSRF attacks include account hijack, personal information theft and cross-site scripting. I will present different variants of Authentication CSRF attacks, detection strategies and the available countermeasures. I will also discuss the findings of the experiments conducted by my former colleagues and myself on the Alexa top 1500 web sites. For instance, out of the 265 web sites we tested, 70% of them were vulnerable (including the web sites of Microsoft, Google, eBay, Instagram etc.). We also responsibly disclosed our findings to the affected vendors and received bounties and/or honorable mentions.