When the new OWASP Top 10 came out in December 2017, I was somewhat enthusiastic about one of the items dropping off: Cross-Site Request Forgery (CSRF). From malicious actors changing Netflix DVD queues to attackers taking over someone’s rewards accounts, there have been plenty of exploitations of CSRF over the years.
As time moved on, many frameworks and web-server upgrades included simple anti-CSRF protections. We all felt like CSRF exploits were going to go away and eventually we did drop it from the OWASP Top 10. But did we drop it a bit too early? Certainly legacy applications running on tired frameworks are still impacted but what about modern apps?
As a tip-of-the-iceberg example, I have to believe that Facebook’s VR division is running a fairly modern app. I am willing to bet there are plenty of anti-CSRF tools embedded in that app’s frameworks. Why then was Facebook notified of a CSRF issue that they then paid a big bug bounty for? Well, it is because CSRF issues are still a problem.
Here at AsTech we’ve been doing web application security work for well over a decade, so we track data over time as part of the process. As part of this data tracking and analysis, we have contributed to the OWASP Top 10 for a while. I decided to do a bit of a deep dive into our data after seeing CSRF fall from the Top 10 and what I came up with was fairly surprising.
We saw a peak of CSRF in our App Reviews in 2012 where 83% of our apps reviewed had at least 1 CSRF impacted flaw. That was just 5 years ago. If we treat this as an outlier we can report that on average ~45% of applications have CSRF. Forty five percent! Even last year the number was 46%, illustrating that we really haven’t gotten on top of this in the way we thought.
So what does this mean for you? If you’re running an application security program, you know how hard it is to keep on top of the vulnerabilities and fixes you have on your plate. Usually, the general plan is to keep on top of the urgent ones. If you have CSRF, it won’t be on a high priority list anywhere and that might lull you into a false sense of security. However, if you are using good, thorough practices for code review and testing for security vulnerabilities, it might be time to think that the OWASP Top 10 goes to 11 and still has CSRF in it.
Take a look at all of your apps, if you are struggling to keep on top of your vulnerabilities and fixes, we can help. Check out our Paragon program to find out how.