App Security Vendor Addresses XSRF Attacks

Published: February 15, 2011

by Alex Woodie

A Web application security company called Mykonos Software claims to have found an automated way to stop cross-site request forgery (XSRF) attack in their tracks. The new XSRF-fighting technology is included in the latest release of the company's security appliance, which focuses on detecting attacks on Web applications and stopping them in real time.

XSRF is a Web application vulnerability that allows hackers to trick victims' Web browsers into unknowingly performing actions, such as logging onto a bank account or a initiating a trade in a brokerage account. The XSRF attacker takes advantage of the trust that a bank or brokerage website has for its users, and the fact that the victim's Web browser stores cookies that automate the log-in process.

The XSRF attack is initiated when a hacker gets a victim to unknowingly consume a malicious piece of code, often an HTML image file, or a segment of JavaScript, that's downloaded to the victim's Web browser from an Internet forum or other interactive website open to the public. This malicious code can be used to instruct the victim's Web browser to request an action against the website associated with a cookie. The XSRF is often called a "one-click" attack, and is often exploited alongside cross-site scripting (XSS) vulnerabilities.

The XSRF attack mechanism was first documented more than 20 years ago, but it can be difficult to detect, and leave users and their trusted websites wondering which party was the source of fraudulent transactions. While it's not particularly difficult to block, some high-profile e-commerce companies have nevertheless succumbed to XSRF attacks, including Google, whose Gmail service was hacked in 2007 through the XSRF vulnerability, and NetFlix, which was subjected to an XSRF attack that resulted in changes to users' movie rental queues.

Recently, XSRF has been climbing out of the shadow of the XSS vulnerability and developing a nasty reputation of its own. The Open Web Application Security Project listed XSRF as the number five threat to Web application security in last year's top 10 list. And according to David Koretz, president and CEO of Mykonos, the Department of Homeland Security has rated XSRF as more severe threat than most buffer overflows, "because there is no limit to its potential impact."

One surefire way to secure against the XSRF vulnerability is to make sure that Web developers architect and build their applications correctly, with all the proper checks and balances. (Of course, this is the same piece of advice that developers are given to avoid every other Web security vulnerability in the known universe, and you can see how far that's gotten us?)

Instead of relying solely on solid development techniques from the outset, practitioners of good security practices increase their odds of surviving the Web's rough seas by installing secondary security check points. Whereas firewalls and intrusion-prevention systems (IPS) concentrate on network-level protocols, devices such as the Mykonos Security Appliance look at what's going on with the application layer, which is where the majority of hacking is occurring.

Last week, Mykonos announced that it has added new XSRF detection routines to its appliance. The Burlingame, California, company says its appliance automatically eliminates XSRF as an attack vendor for customers who use it. "This is another major milestone for Mykonos," Koretz says.

Mykonos claims its appliance is superior to other devices by the way it actively participates with Web activity, and how it analyzes hackers to determine their skill levels following the detection of an attack. The vendor says its software tracks hackers over time, and creates tailored defenses designed to thwart the hacker and his techniques.

There is still much to be desired when it comes to Web application security. According to a recent report from the Ponemon Institute, the majority of organizations spend more time on coffee than securing Web applications.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot