Web application vulnerabilities have gotten more than their fair share of attention in the last few years, especially the widespread problem of cross-site scripting. But another flaw that many security experts consider a disaster waiting to happen is proving to be a serious problem for law enforcement agents and forensics investigators.
Known as cross-site request forgery (CSRF), the vulnerability often is used by attackers to force a victim into unknowingly submitting requests to third-party Web sites. In this way, an attacker could force a user to retrieve images, submit or retrieve data or perform any number of other functions on a site, which can seriously muddy the waters when an investigator is trying to trace a user's online actions. Experts say this is becoming an increasingly common problem in cases in which someone is accused of downloading illicit material or taking other illegal actions online.
"I see this in a lot of cases where the defendant definitely could say that it was CSRF," said Chuck Willis, a principal consultant at Mandiant in Alexandria, Va., and a former special agent in U.S. Army Counterintelligence. "It's a problem for forensics people who aren't as familiar with it and might not understand whether it's possible that CSRF could be blamed for what the defendant is accused of."
A typical CSRF attack works something like this: A user logs into a legitimate site, such as Yahoo, and then later leaves the site and goes to another one, which is controlled by an attacker. The user then clicks on some element of the page, such as an image link. But instead of referring to an actual image, the link refers to a script which exploits a vulnerability in the user's browser and forces it to take some arbitrary action on the Yahoo site where the user is still logged in. This can be especially handy for attacks against online banking sites.
Experts have known about CSRF vulnerabilities and attacks for several years, but Willis said little has been done to prevent them. Willis will give a talk on the CSRF problem as it relates to forensics at this week's Black Hat D.C. conference in Washington.
"I don't think I've ever seen an application where the developers actively prevent this," he said. "But some Web frameworks like the newer version of ASP.net do. But it's more of an accident than anything else."
Willis said that in some criminal investigations that involve computer fraud or abuse, knowledgeable defendants or attorneys will raise the possibility that the defendant could have been a victim of a CSRF attack and therefore not responsible for the actions taken on his behalf online. The key, he said, is for forensics investigators to work with security specialists to determine whether this is even a possibility in a particular case.
"It comes up a lot in cases where people are accused of downloading things they shouldn't have, but it's not always applicable," Willis said. "But now a lot of security people are getting involved in these investigations and they might see this differently."