CSRF Threats: Protecting Your Data
Most of us are aware of the blatant attempts to take control of our computers such as pop up ads and emails from those we don’t know but every so often there is a massive worm or hacker scare. It becomes apparent when these events occur how little we know about our electronic defenses and what to look out for. By understanding even a small percentage of these types of attacks, we can be more aware and prepare for their eventual appearance. XSS or Cross-site scripting is the most common form. Typically found in web applications, XSS is responsible for about eighty-four percent of all security vulnerabilities (according to Symantec). Cross-site scripting allows attackers to inject client-side scripts into web pages which are viewed, essentially completely unnoticed. Perhaps an even greater threat is the frequently overlooked and therefore more covert CSRF (Cross Site Request Forgery). Due to the attention received by XSS attacks, CSRFs have become more attractive to those desiring to obtain your information. While many developers have forgotten to build protections against CSRF, French company VulnIT has made a concerted effort to proactively take on this threat a neutralize it.
The means by which your information is exploited sometimes originates with good intentions. For example, Google allows you to stay logged in so that when you check your Gmail account there is no need for constantly signing in with your login and password. If a CSRF vulnerability is discovered by sending a forged request when the user is signed in (one which will enable that forgery to be used at other times and, depending on the information, in other ways on other sites) your personal information could become compromised. This can have disastrous effects if a CSRF discovers a vulnerability on for example a banking website or medical site. This paradigm translates further than simply individuals as companies can also fall prey to a hacker who obtains their email/contacts or even intellectual property. Because the hacker/attacker appears legitimate by proxy of the stolen information, the results may be undetected for quite some time.
Now that you are sufficiently anxious, let’s focus on what is being done to stop this. VulnIT CEO Vincent Maury tasked one of the leading programmers in the industry, Thibault de Lacheze-Murel, to offer a solution. After copious research, Thibault created an algorithm and constructed a sandbox site as a means of reverse engineering (essentially taking on the role of hacker) to discover and take advantage of any software weaknesses in defense. Not only was Thibault’s algorithm brilliant but it was immensely successful and possessed a streamlined beauty, courtesy of Thibault’s decision to write it in Python. This genius part of Lacheze-Murel’s design was quite purposeful as he explains, “When developing a software, especially a vulnerability scanner, the important part is the algorithm. It is crucial to design an efficient one which can work in a lot of different situations without being too complicated.”
Rather than becoming nervous and paranoid, do your due diligence; educate yourself and make intelligent choices. There are safeguards and entities and individuals like VulnIT and Thibault de Lacheze-Murel who can enable you with the means of still living a less stressful life…as long as you keep reading.
Author: Kelly King