Is Cross-Site Request Forgery bad for PCI?
March 18th, 2007 by datasecurity Posted in Web Applications
I liked Jeremiah’s comment about “Big trouble if PCI-DSS requires CSRF“. His theory is that, if PCI adopts the new (proposed) OWASP Top 10, it could spell trouble for ASV (vulnerability scanning) vendors. Why is this?
Because according to him, “… automated scanning for CSRF is hard, really hard. I’m not ready to say impossible, because is some occasions it isn’t, but the needle is still very near zero for everybody.”
Based on prior conversations with Andrew van der Stock, I don’t think that PCI plans to adopt the new (and changing) OWASP Top 10. There are positive and negative reasons for this, all to be debated. So, I don’t think we have anything to worry about, but I would like to know more about Cross-Site Request Forgery attacks.
In the comments on Jeremiah’s blog, Andrew writes:
The CSRF requirement is the only one where we “fudged”. All the other nine issues are easily discoverable by automated means. I will be changing the CSRF action item in RC2 to be very specific: the control ONLY applies to value transactions, which for PCI compliance (although that is somewhat moot now) means you may only need to look manually at a couple of places in an average e-commerce application. That will reduce the cost of review to manageable proportions.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
2 Responses to “Is Cross-Site Request Forgery bad for PCI?”
By Andrew van der Stock on Mar 20, 2007
Hi there,
Yes, I’m moderately certain that the Top 10 2007 will be interesting to many, but it’s not that useful in a standards context.
I’d really like to kick off the project for “Top 10 Things you should do right in your application”. I see this as a natural home for the concerns PCI DSS folks have. I feel they’re not interested in patching issues for yesterday’s (or even today’s) common problems, but to reliably prevent common problems in your typical financial application.
The discussion has started in the Top 10 mail list. I invite all interested PCI folks to come by and let’s talk about your needs.
thanks,
Andrew
By datasecurity on Mar 20, 2007
Andrew,
I agree with your assessment of the situation. PCI is looking for the “Top 10 Web Application Hacks That Lead to Data Compromise”. Cross-site scripting might be bad but if it does not lead to credit card data compromise… what is the importance of it to PCI?