One more reason why CSRF sucks hard
Usually, when I try to explain Cross Site Scripting to some who isn't familiar with it, I end up justifying why XSS is really and issue and could, depending on the kind of application or website, cause a lot of damage.
This gets even more difficult if you try to explain the dangers of CSRF in a way, that sounds reasonable to an uninformed audience. Now it'll probably be a good idea to come up with some examples in such a situation, like the one that pdp has recently presented. The ability for an attacker to hijack someone elses gmail account only due to a simple CSRF vulnerability should make perfectly clear, why CSRF must never be underestimated.
One of many good examples worth to quote on this matter.
3 Comments:
You go home at night and open your front door using your jingly-jangly keys. Sadly, when you walked in, you forgot to take the keys out of the lock as you picked up the bag of groceries you had to set down to open the door. Someone walks by, see the keys already in the lock, and uses them to walk on into your house. Or they could just walk away with your keys and knowledge of what door they open.
Is that maybe helpful? :)
When I explain CSRF to folks they either say that web browsers "shouldn't do that" or they get very scared.
My audience just says nothing. They just don't care about it.
Post a Comment