Cross-site Request Forgery (CSRF), XSRF, or Sea surf vulnerabilities are a common type of web application security vulnerability found in many off the shelf, open source and custom-built web applications. A CSRF attack involves an attacker leveraging a web application vulnerability to trick an unsuspecting victim (usually via social engineering) into making an authenticated request the victim did not intend to make.
In a CSRF attack, the victim’s web browser cannot distinguish between a legitimate and a malicious request and is therefore tricked into executing unwanted actions to the web application as intended by the attacker. When sending an HTTP request to a website the user is already logged in to, the browser will dutifully send the session Cookie (containing the user’s session ID) to the web server. Unfortunately, this is precisely what the attacker is after — to “forge” requests on behalf of the end user. Since a vulnerable application would not use any anti CSRF tokens, the application will accept the forged request and carry out the attacker’s bidding.
A typical CSRF typically would involve submitting forms present on the web application to alter data. An example of this would be for an attacker to reset an administrator’s password. Therefore, a CSRF vulnerability affecting highly privileged users, such as administrators, could result in a full application compromise.
CSRF vulnerabilities could be challenging without the right tools. Acunetix is a website security scanner and as part of the myriad of vulnerability test it performs, including Cross-site Request Forgery (CSRF).
Beyond low hanging fruit
While many CSRF scanners can identify missing CSRF tokens, Acunetix goes well beyond the basics by using highly tuned heuristics to tests for advanced variations of CSRF. Additionally, the Acunetix web application security scanner even goes beyond CSRF tests and can look for even more serious vulnerabilities such as Cross-site Scripting and SQL Injection too.
When scanning large applications for CSRF vulnerabilities, it may be desirable to divide the scanning of the application up into smaller segments, or scopes. A typical example of this would be when different development teams would be working on different parts of a large web application with different release cycles, and therefore, different scanning schedule requirements.
Acunetix makes customizing the scope of a file inclusion vulnerability scan easy and painless. There are several ways to restrict the scope of a CSRF scan — you may choose to exclude pages you don’t want to scan manually, or for more advanced users, Acunetix also supports excluding pages based on regular expressions.
We utilize Acunetix to more thoroughly assess internet-facing websites and servers. Acunetix helps us identify vulnerabilities in conjunction with other vulnerability scanning applications. Acunetix has been a more reliable application when discovering / determining different types of malicious code injection vulnerabilities (SQL, HTML, CGI, etc).