Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 Previous Next

RSA Archer Suite

422 posts

I am happy to share that for the fourth time, RSA has been positioned as a Leader in the just-published Gartner Magic Quadrant (MQ) for IT Risk Management (ITRM) Solutions

 

The field for this year’s Gartner MQ for ITRM is comprised of ten vendors. Based on Gartner analysts’ evaluation of RSA Archer Release 6.5, which included an in-depth questionnaire, product demonstration, and interviews with RSA Archer customers, Dell Technologies / RSA was positioned highest in "Ability to Execute.”

 

 

We would like to sincerely thank our customers for sharing with Gartner their valuable insights and experiences using RSA Archer solutions. Our customers and community of users are truly what continues to make RSA Archer great!

 

The Garter MQ for ITRM is the first of four Gartner MQs this year that will include RSA Archer, including MQ reports for Integrated Risk Management and Business Continuity Management Planning in the coming months, as well as IT Vendor Risk Management Tools later this year.

 

If you are just beginning to explore IT risk management, or if you are already managing a successful integrated risk management program, we encourage you to read the full report.

 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Dell Technologies.

(Authored by Steve Schlarman, Portfolio Strategist, RSA)

It was Mark’s big shot. He finally had a meeting with Sharon, the CIO. Her schedule was so busy it was legendary, and for her to spend time with a risk analyst was a clear indicator she recognized the new challenges facing their company. Although he only had 15 minutes, Mark was prepared  – notepad at the ready, brimming with nervous energy. After some brief chit chat, he got down to business – ready to drill into a conversation about their company’s biggest obstacles; the most impactful concerns; the top of mind issues; the coup de grace that could spell disaster for the organization. He took a deep breath and went to his big money question… ‘So, what keeps you up at night? What are you worried about?’ 

Sharon beamed. She spun around to her whiteboard and spewed a litany of projects fueling their company’s digital transformation – an IoT project, SalesForce.com implementation, a massive VMWare migration and their hybrid cloud, the new employee work-at-home program, the impending customer mobile portal…

While that question got Sharon started, let’s think about this a bit differently.

With all the benefits the new digital world offers, there are a host of risks that must be managed. The major areas of risk remain the ‘usual suspects,’ such as security, compliance, resiliency, inherited risks from third parties and operational risk. However, digital business amplifies uncertainty for organizations today.  For example:

  • Digital business, by its very nature, increases the threat of cyber incidents and risks around your intellectual property and customer data.
  • The expanded connectivity and expectations of the ‘always on’ business stresses the importance of resiliency.
  • Business has evolved into an ecosystem of internal and external services and processes leading to a complex web of ‘inherited’ risks.
  • The disappearing perimeter and digital workforce is challenging how organizations engage their customers and employees.

Factors such as these are why digital initiatives are forcing organizations to rethink and increasingly integrate their risk and security strategies. 

The objective for today’s risk professional is not just about defending against the bad. Just like Mark discussing the parade of initiatives with Sharon that clearly impact their company’s future, you must be ready to help usher in a new age of digital operations. Merely riding the buzzword wave – IoT, social media, big data analytics, augmented reality... – is not enough. 

You must look at opportunities to enable innovation in your business while building trust with your customers and throughout your enterprise. Your business must be comfortable embracing risk and aggressively pursuing market opportunities offered by new technology. To do that, risk associated with the use of emerging or disruptive technology in transforming traditional business processes needs to be identified and assessed in the context of fueling innovation. You also must keep focus on the negative side of risk. Your business today demands an open, yet controlled, blend of traditional and emerging business tactics. You must help manage the ongoing risk as these transformed business operations are absorbed into the organization fully, i.e., the new model becomes the normal model of doing business.

Risk is, by definition, uncertainty. Everyone is concerned about uncertainty in today’s world. However, if we go back to the simple equation (risk = likelihood * impact), risk should be something we can dissect, understand, and maybe even calculate. While you are helping your organization embrace the advantages (positive risk) of technologies like IoT, data analytics, machine learning, and other emerging digital enablers, the volatile, hyperconnected nature of digital business amplifies the negative side of risk. It is anxiety about the unknown that leads us into that executive conversation, but it shouldn’t lead to worry.

Worry is about fear. Your executives shouldn’t be afraid in today’s world. They should have informed concerns. And you – as the security or risk person in the room – should be feeding insights to raise their visibility of the likelihood of events and diminish their distress on the negative impacts. Risk is part of riding the waves of business opportunities.

Risk is not something you should WORRY about... it is something you should ACT on.

***********

To learn more about digital risk management, click on our new Solutions Banners located in the right-hand column of each RSA product page: Third Party Risk, Cloud Transformation, Dynamic Workforce, and Cyber Attack Risk.

Many organizations establish policies to provide guidance regarding conflicts of interest when conducting business with outside organizations. A conflict of interest may occur when you have a personal or financial interest with the company or person you are conducting business with. As a part of managing conflicts of interest, it is important to manage and monitor the acceptance of gifts from both parties.  

 

Gifts, entertainment expenses, and charitable donations are used frequently to build and maintain good relationships between your organization and the companies you do business with. However, if not managed properly, conflicts of interest can impact judgement and the business relationship. Most organizations implement some form of anti-bribery or conflict of interest policy to ensure employees are conducting business in an honest and ethical manner when contemplating or entering into a transaction or arrangement that might benefit one party over the other. It is crucial to ensure that any gifts, entertainment expenses, or charitable donations are within the company's policies and do not pose a conflict of interest to protect the relationships between partners, customers, vendors, and anyone else you conduct business with.

 

On May 21st, the RSA Exchange introduced a new offering to help you address your organization's requirements for gift registration.  The RSA Archer Gift Registration app-pack helps monitor the risks against violations of conflict of interest with regards to gifts, entertainment expenses and charitable donations. In doing so, you can identify requests over the organization's threshold and manage the exceptions to identify areas with potential conflicts of interest and address the issue.

 

RSA Archer Gift Registration allows you to:

  • Track gifts, entertainment expenses, and charitable donations
  • Identify and manage non-compliant expenses
  • Manage and report exceptions for approved expenses outside of the organization’s threshold
  • Provide visibility into the status of the requests

 

Interested in learning more about the RSA Archer Gift Registration app-pack? Join us for a Free Friday Tech Huddle on Friday, May 31, for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller — or visit us at www.rsa.com.

 

RSA Archer Gift Registration Dashboard

Strategies drive the overall direction of a company; therefore, one of the top priorities for every organization is to ensure strategies are executed according as planned and in a timely manner. Understanding and preparing for risks that pose a threat to your organization's strategy execution is crucial. To aid in successful strategy execution, you must implement a process to identify, assess, and mitigate any strategic risks that may impact your organization's strategy.  Some of these risks include but are not limited to:   

  • Shifts in consumer demand and preferences
  • Legal and regulatory change
  • Competitive pressure
  • Merger integration
  • Technological changes
  • Senior management turnover
  • Stakeholder pressure

 

Proper strategy execution requires prioritization of the strategic risks. With the RSA Archer Strategic Risk Management app-pack, your organization will find comfort in a consistent and repeatable process for identifying and mitigating strategic risks, while understanding the level of preparedness against risks that impact your organization's strategies, minimizing the risks for successful strategy execution.

 

This new app-pack helps you get the most from both the Risk Catalog and the Strategic Planning app-pack. With the RSA Archer Strategic Risk Management you can relate the strategic risks to the strategies defined in the RSA Archer Strategic Planning app-pack to get a holistic view of your organization's strategies and how the strategic risks impact the organization. In addition, the existing Risk Catalog lets you build an inventory of your risks, from the enterprise level down to the operational level through the Risk Register. It allows you to roll-up individual risks into macro-levels for analysis and reporting at the most relevant level. With the addition of the RSA Archer Strategic Risk Management app-pack, you now have another layer of analysis available to you. Once you have identified risks in your hierarchy that tie back to Strategic Risks, you can track them together in the new app-pack while still maintaining the hierarchical structure in the Risk Catalog. That way, you have insights both on how individual risks roll-up throughout the organization AND on how each risk can influence the strategic risks.

 

RSA Archer Strategic Risk Management allows you to:

  • Identify strategic risks within the organization
  • Relate strategic risks to organizational strategies
  • Conduct a Strategic Risk Assessment to determine risks, impacts, and level of preparedness
  • Implement Action Plans to remediate strategic risks outside of the organization’s tolerance levels
  • Monitor strategic risks to identify opportunities to mitigate risks 

 

Interested in learning more about the RSA Archer Strategic Risk Management app-pack? Join us for a Free Friday Tech Huddle on Friday, May 31, for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller — or visit us at www.rsa.com.

 

 

RSA Archer Strategic Risk Management

Strategic Risk Manager Dashboard

Wouldn’t it be great if the size and resources of your third-party risk management team actually kept pace with your growing number of third parties? Hey, it never hurts to dream. But in case that dream never becomes a reality, RSA Archer has got your back.

 

Third-party relationships aren’t just growing in number and complexity -- they’re also growing in their potential impact to your business. As innovative companies lean into digital transformation, they’re increasingly leveraging third parties to host new infrastructure, improve customer experiences, and fuel digital-native products. So as our reliance on third parties grows, we have to ask ourselves how our risk management can work better, smarter, and faster.

 

Third-party risk management has traditionally been limited to questionnaires. These assessments remain important today, but they leave several gaps in effective risk management. First, they only tell you the risk at the "point in time" the assessment is conducted. Second, they only tell you what the third party knows and wants you to hear. They do nothing to illuminate security gaps that a vendor isn’t aware of. They tell you which controls are in place, but leave you with no assurance that those controls are operating effectively. And lastly, they’re just downright time-consuming for everyone involved, from respondents to reviewers. In a world where third parties are critical to bringing new products to market, that means hindering the pace of progress for the entire business.  

 

So how can we do risk better? The key is to maximize efficiency and minimize risk. Doing that means focusing on protecting value at risk. This requires having context for what matters to the business and where the value lies. But it’s not enough to just identify risk. Effective risk management also requires action.

 

That’s why we’re so excited to announce the new RSA Archer Third Party Security Risk Monitoring use case. While questionnaires and risk rating services alone only provide a partial view of risk, RSA Archer now enables you to build the complete picture. This new RSA Archer use case brings together business context, technical valuation powered by machine learning, objective verification of operating effectiveness, and actionable workflow to provide the most efficient, effective approach to risk management.

 

With both questionnaire-based assessments and new continuous monitoring of a third party’s internet presence, you can focus on how risk is actually implemented and operated. Prioritizing actions based on inherent business risk, asset value, and known defficiencies keeps you focused on what matters most. RSA Archer’s powerful workflow engine then ensures that the most critical issues get triaged both internally and externally for immediate response. As part of the broader RSA Archer platform for integrated risk management (IRM), you can also maximize the business value of your risk management program by providing a single place to share third party risk dashboards with stakeholders from the first line of defense, compliance, business resiliency, information security, and more.

 

Interested in taking your third-party risk program to the next level? Join us on Wednesday, May 22, 2019 at 11:00 AM Eastern for our webinar, "Third Party Risk Management: Making Sense of Your Vendor Data." To sign up, register here. Learn more about the new RSA Archer Third Party Security Risk Monitoring use case and be sure to join us for a Free Friday Tech Huddle on June 14, 2019.

With today’s launch of RSA Exchange Release R8, we’re excited to bring you new offerings that can help you in continuing to advance in your integrated risk management (IRM) journey.

 

One RSA objective for this year is delivering advanced IRM capabilities to help your organization achieve greater visibility and insights. RSA Exchange Release R8 is one of our largest releases to date and brings to market new capabilities in managing tax risk and strategic risk, as well as managing your organization’s conflict of interest policies with gift registration. In addition, 13 new and updated integrations offer enhanced insight from industry-leading software providers, and 6 new authoritative sources can help widen your view of risk.

 

The RiskRecon integration has been updated to optimize the new RSA Archer Third Party Security Risk Monitoring use case, which is now generally available.

 

Here is a full list of the new and updated offerings available in Release R8.

 

 

 

 

 

There are so many new capabilities available in Release R8, and I know it can be overwhelming.  My suggestion is to start by reviewing the product advisory to learn a bit more about each of the new and updated offerings.

 

Next, I invite you to join me for a Free Friday Tech Huddle on Friday, May 31 for an overview of the RSA Exchange Release R8 offerings. Christine Tran will also provide a demonstration of the new RSA Archer Strategic Risk Management and RSA Archer Gift Registration app-packs.

 

Lastly, there is a wealth of documentation, downloads, and more on the RSA Exchange on RSA Link.  I recommend that you bookmark the listing of all RSA Exchange offerings. And if you have new ideas for the RSA Exchange, please send them our way on RSA Ideas

Let's talk about entropy. No, I'm serious, we have to talk about it. Entropy is the natural tendency for things to become less organized over time, a natural decay of order and planning that creates chaos and uncertainty. And it is a natural tendency. As the work piles up, the new tasks, the urgent tasks will replace the mundane and old tasks at the top of your conscious mind. They have not become less important, they just are a victim of entropy.

 

I fight against entropy all the time, we all do. We try to create order and structure through a calendar, a to do list, reminders… Anything can become a tool in the fight against entropy. And that does bring us to a new feature in Archer 6.6, the automated metrics update.

 

Metrics are a great tool to monitor data, whether is it performance, risk or control data. It can give you a quick snapshot of a situation, it can give you early warning if something is not quite right, it can be used for trending, it has a lot of uses. The issue is that what you get from your metrics program is what you put in. If your metrics are not updated on a regular basis then you won't get anything of value out of them. Entropy is fighting against you, who will remember to go in an update a key indicator when there are ten new tasks to perform?

 

That is why we leveraged the new rules based enrollment feature in Advanced Workflow to implement an automatic upgrade of key indicators. Based on the update frequency and the last update date, metrics that are past their due update date are now going to be automatically enrolled in a workflow. The metric users will receive a notification, and have a task created for them to update their outstanding metrics. It’s a simple one step process that will ensure the key indicators stay up to date.

 

The end result is that since metrics will be more reliably up to date, all the information you use them for, dashboard, reports, trends, alerts will also be more up to date and reliable. So will the metrics you decide to feature on a dashboard through the new featured metric feature. The insights you will get from them will be better and timelier. And your fight against entropy will be made easier since there will be no need to chase metrics owners down to get them to update their data.

 

Now, this is only one illustration of how the new rules based enrollment workflow feature can be used, I am impatient to see what you will actually use it for. What do you think will be the first workflow you build using this?

Available beginning today, RSA Archer Release 6.6 represents our next step forward in creating a next-generation user experience that brings the power of RSA Archer to an evolving user base, where they are, with the context they need, and in the format they want.

 

With this release, we’ve focused on continuing to elevate the user experience with RSA Archer, with user interface, usability, and accessibility updates that support the growing scope and importance of risk and compliance at all levels of our customers’ organizations. Release 6.6 includes a number of improvements to key features of the main navigation, dashboards, and records pages for a more modern look and feel and enhanced functionality.

 

Other enhancements to the RSA Archer Platform include search and reporting improvements for easier and faster analysis. A new “Refine By” pane on the search results page – similar to what you would see in the left column on Amazon.com -- makes it easy to slice and dice initial search results by clicking attributes to filter the results without leaving the results page. Users can also add, remove, and reorder display fields directly from the search results page, for more efficient modifications to search results. To enable faster navigation and search, Global Search now provides search suggestions that appear in real-time as text is entered to enable faster navigation, and prioritizes content that matches the Key Field, Tracking ID, or both.

 

Release 6.6 includes workflow management enhancements for greater efficiency, including while on the move. As one of the customer-voted “Top 10” features on RSA Ideas, the new Advanced Workflow Actions by Email capability enables users to quickly and easily complete workflow actions, such as approving or rejecting a record, via email without the need to log in to RSA Archer. The release also includes performance improvements to optimize management of data at scale, support for an Application Managed Output Writer for JavaScript Transporter to enable more data in a single data feed, and removal of inactive jobs to reduce the job engine load.

 

RSA Archer Release 6.6 also includes updates for several use cases:

  • RSA Archer Key Indicator Management use case updates enable past due active metrics or metrics that do not have recorded results to be automatically enrolled into workflow. Metric owners are notified that action is required and can then determine the appropriate remediation actions for the metric.
  • RSA Archer Corporate Obligations Management and RSA Archer IT Regulatory Management use cases have been updated to remove pre-configured data feeds from the use case package, allowing customers to customize configuration based on their regulatory requirements. Data feeds are now available from the RSA Exchange on RSA Link.
  • RSA Archer Enterprise Catalog is a new package designed to simplify the process of updating releases by aggregating shared applications across multiple use cases.

 

Last, but certainly not least, for our global customers, RSA Archer Release 6.6 includes localization for the eight languages supported by RSA Archer. We’re very pleased to be able to provide localization with general availability for the first time with RSA Archer Release 6.6. Customers can immediately download RSA Archer in their language of preference, and translated documentation is also available.

 

For more details on RSA Archer Release 6.6 features and functionality, RSA Archer customers can review the product advisory. Customers are invited to join us for a Free Friday Tech Huddle on Friday, May 3. You can also read the blog series and check out the documentation available on the RSA Archer Release 6.6 subspace on RSA Link.

 

If you haven’t yet upgraded to 6.x to take advantage of these and other great features, please reach out to your account representative. You don’t know how much you’re missing!

 

Stay tuned for even more great things coming soon for the RSA Archer Suite.

In the RSA Exchange R6 release, we introduced the RSA Archer Speak Up app-pack which empowers your first line of defense to Speak Up regarding concerns in the form of ideas, issues, or complaints.  Using the RSA Archer Speak Up app-pack, your employees don't have to worry about how to classify the information or where to submit it and you can receive insights from your organization to improve the business.

 

In our most recent release of the RSA Exchange R7, we updated the RSA Archer Speak Up app-pack to allow capability for anonymous submissions.  Information can now be submitted anonymously to protect the identification of whistleblowers and management can solely focus on the issues at hand.

 

With the RSA Archer Speak Up App-Pack, you can:

  • Empower users within your organization to speak up regarding the business
  • Provide ownership and accountability for information reported
  • Employ a consistent governance process for reporting information
  • Be informed of organizational risks related to Speak Up requests
  • Inspire everyone to own risk

 

Interested in learning more about the RSA Archer Speak Up app-pack? Join us for a Free Friday Tech Huddle on Friday, April 12 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

 

This is not an April Fools’ Day joke – RSA Charge registration fees go up from $595 to $995 on April 2. Trust us, you will not want to miss this year’s Charge event. REGISTER TODAY!

 

RSA Charge 2019 will provide you a place to discover game-changing business-driven security solutions to meet today’s greatest business challenges. Attendees will explore best practices and have opportunities to problem-solve and discuss ideas for product and service innovation to increase productivity. From customer case studies to training as well as one-on-one consultations and motivating keynotes, this year’s conference has something for everyone!

 

RSA Charge 2019 will deliver a host of new content and exciting opportunities through:

Customer-led case studies and hands-on workshops to share trends and issues specific to your industry

Thought-provoking keynote presentations that provides insights on RSA’s products, solutions and customer successes

Partner Expo highlights solutions that are driving high-impact business benefits using RSA’s solutions

Unparalleled Networking invites you to exchange ideas with your peers and RSA experts and save – early bird rates are $595 and available through April 1, 2019, then the regular registration price kicks in at $995. The RSA Charge 2019 website should be your go-to destination for all ‘Charge’ information - Call for Speakers, Agendas at a Glance, Full Agendas and speakers, Keynotes, and so much more.

 

RSA Charge 2019 will be in Orlando from September 16-19, 2019 @ Walt Disney World Dolphin & Swan Hotel, Orlando. 

 

REGISTER before April 2, save $400 and check out the RSA Charge 2019 website for continual updates like the one below:

 

Just Added: Looking for pre-conference training? Due to RSA Charge starting on a Monday and being on the Disney grounds, RSA has decided not to offer any pre-conference training this year but instead offer a whole RSA University track dedicated to your favorite training topics at no extra cost. That’s right, no additional cost!

 

There will also be RSAU representatives, onsite to talk shop and answer any and all of your questions, just another reason to attend RSA Charge 2019. We look forward to seeing you all in Orlando.

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Sources of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is the proper management of Risk so important?

In addition to operational risk, organizations today face a wide range of risks originating in different areas of their business, including risk to achieving strategies and objectives, credit risk, interest rate, liquidity, and market risk, political risk, and reputation risk, to name a few.  Many of these risks arise within the four walls of the organization and many are inherited through the extended third-party ecosystem that the organization engages. 

 

As an organization grows in size and complexity, converts to digital, moves into new markets, introduces new, more sophisticated or novel products and services, is subject to more regulatory obligations, extends its third party dependencies, or is exposed to political, social, or environmental challenges, it becomes much more difficult for the organization’s management and board of directors to understand and manage its risks.  Without a clear understanding of their risks, these organizations tend to experience more surprises and losses, and have a more difficult time achieving their objectives and strategies.  Some of these risks may threaten the very existence of the organization, or the livelihood of its managers and board of directors.  Consequently, these risks must be effectively identified, assessed, and managed to protect the organization’s leadership and ensure the organization can meet its objectives.

 

RSA Archer Risk Catalog

RSA Archer Risk Catalog provides the foundation to record and track risks across your enterprise, and establish accountability by named first and second line of defense managers. It provides a three-level roll-up of risk, from a granular level up through enterprise risk statements. Inherent and residual risk can be assessed utilizing a top-down, qualitative approach, with assessed values rolling up to intermediate and enterprise risk statements.

 

Key features include:

  • Consistent approach to documenting risk, assigning accountability, and assessing risks
  • Oversight and management of all risks in one central location
  • Ability to understand granular risks that are driving enterprise risk statements
  • Consolidated list of prioritized risk statements

 

RSA Archer Risk Catalog enables organizations to:

  • Obtain a consolidated list of the organization’s risk
  • Enforce a consistent approach to risk assessments
  • Prioritize risks to make informed decisions about risk treatment plans
  • Create accountability for the ownership and management of risk

 

The RSA Archer Risk Catalog is an essential use case of the RSA Archer Ignition Program, designed to empower organizations of all sizes to respond to risk with data-driven facts using a streamlined, fast time-to-value approach

 

Today, organizations are faced with complex and fast moving challenges.  RSA Archer Risk Catalog is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization grows and changes, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effective risk management is essential for improving an organization’s risk profile.  RSA Archer can help your organization better understand and manage its risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

Thorough due diligence is a necessity when entering into an agreement or contract with another party, especially in the case of mergers and acquisitions.  However, due diligence activities can apply to any business situation requiring an investigation where proof that a "diligent" effort was put forth to obtain pertinent information in a forthcoming matter.  In the case of mergers and acquisitions, due diligence is a vital activity and can take several months of intense analysis if the target firm is a large business with a global presence.  This process often unveils risk insights and can help your organization plan for impacts to the business.      

 

Organizations need a way to define what due diligence activities are required and to track the results of those activities.  The RSA Archer Due Diligence Management app-pack enables you to define and manage the due diligence activities required for a thorough investigation of the target entity. The offering defines a framework for all due diligence activities making it consistent and repeatable, while providing visibility into the status of due diligence activities.  The due diligence framework can be defined specifically for your organization to ensure everyone within the organization is conducting the required due diligence for every target entity.  Due diligence activities are assigned and reviewed to ensure all activities have been completed, resulting in lower risk mergers and acquisitions.

 

With the RSA Archer Due Diligence Management app-pack, you can determine the scope of each due diligence project, track the due diligence tasks to completion, confirm and verify information through investigation, and provide recommendations based off of factual data and reports.

 

RSA Archer Due Diligence Management allows you to:

  • Offer a consistent and repeatable process for conducting due diligence
  • Implement a structure for due diligence checklist
  • Obtain visibility into the status of the due diligence activities required

 

Interested in learning more about the RSA Archer Due Diligence Management app-pack? Join us for a Free Friday Tech Huddle on Friday, March 29 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Sources of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Operational Risk Management so important?

For many organizations, effective operational risk management is inherently complex. As organizations grow in size and complexity, convert to digital, move into new markets, introduce new, more sophisticated or novel products and services, becomes subject to more regulatory obligations, or extends its third party dependencies, it becomes much more difficult for the organization’s management and board of directors to understand and manage its risks.  Without a clear understanding of their risks, these organizations tend to experience more surprises and losses, and have a more difficult time achieving their objectives and strategies.  Some operational risks may threaten the very existence of the organization, or the livelihood of its managers and board members.  Consequently, these risks must be effectively identified, assessed, and managed by business unit leaders (the first line of defense) and executive management to adequately protect the organization’s leadership and ensure the organization can meet its objectives.

 

Without engaging the first line of defense in identifying risk, and using consistent methodologies and measurements to assess risk, there is no way to provide executive management and the Board with an accurate and aggregated view of risk across the business.  Good operational risk management protects the organization from operational losses and surprises.

 

RSA Archer Operational Risk Management

RSA Archer Operational Risk Management is a combination of use cases that are core to a typical operational risk management program. These elements include: Top-Down Risk Assessment, Bottom-Up Risk Assessment, Loss Event Management, Key Indicator Management, Risk and Control Self-Assessments, Issues Management, and Scenario Analysis. RSA Archer Operational Risk Management enables cataloging business processes and sub-processes, documenting risks associated with business processes, and  control procedures. Risk self-assessments can be performed on a top-down basis, through first line of defense self-assessments, and through targeted bottom-up assessments. Loss events can be cataloged, root-cause analysis performed and routed for review and approval. Key risk and control indicators can be established and associated with risk and control registers, respectively, and monitored to provide early warning of changes in the organization’s risk profile. By integrating these use cases, risk managers have a comprehensive operational risk management program that reinforces desired accountability and risk management culture throughout the organization, providing necessary transparency through reporting, dashboards, and notification alerts.

 

Key features include:

  • Consolidated view into business processes, risks, controls, loss events, key indicators, and outstanding issues; an understanding of how they are all related; and accountability for each
  • Support for first line of defense self-assessments, and top down and bottom up risk assessments
  • Efficient management of self-assessment campaigns by second line of defense stakeholders, including necessary workflow to vet and challenge first line of defense assessments
  • Capture and perform root cause analysis on internal losses and near misses, and relevant external loss events, routing loss events to stakeholders for review and approval consistent with delegated authorities and loss type.
  • Enforce consistency in creation of risk and control registers through the use of risk and control libraries
  • Catalogue risk scenarios and capture and perform scenario risk assessments
  • Understand inherent and residual risk and observe changes in calculated residual risk while rolling up risks by business unit and enterprise risk statement
  • Robust key risk and control indicator program management to provide early warning and remediation
  • Consolidated issues management with a clear understanding at all times of the status of all open remediation plans and exceptions
  • Visibility into operational risk via predefined reports, risk dashboards, workflow, and notifications
  • Perform risk assessments qualitatively, quantitatively using monetary values, and support Monte Carlo simulation based on expert elicitation and loss events.

 

RSA Archer Operational Risk Management enables:

  • Better understanding of risks and controls throughout the organization
  • Improved risk management and risk management culture by engaging the first line of defense (business users) to take ownership of their risks and controls
  • Quicker detection and management of changes in risk profile
  • More efficient administration of the operational risk management program, allowing second line of defense teams to spend more time on analysis and less time on administration and reporting
  • Less time required to identify and resolve operational risk-related problems
  • Reduction in audit findings, surprises, loss events, and incidents,
  • Ability to clearly demonstrate the design and effectiveness of your organization’s risk management program

 

Today, organizations are faced with complex and fast moving challenges.  RSA Archer Operational Risk Management addresses the core requirements of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

As your organization drives business growth through an extended ecosystem strategy, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effective risk management is essential for improving an organization’s risk profile.  RSA Archer can help your organization better understand and manage its risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Bottom-Up Risk Assessment so important?

The introduction of new products and services, mergers and acquisitions, business process changes, and fraud are often viewed as risk projects to be evaluated when making decisions to move forward or enhance risk treatments. All too often, these kinds of operational project reviews are performed on an ad-hoc basis, using an unstructured and inconsistent approach. Bottom-up, project-oriented risk assessments are prone to incomplete and unreliable information. In addition, IT and business teams are often asked to collect the same assessment data via spreadsheets, Word documents, and email for different risk and compliance assessments. This manual approach results in missed project deadlines,  inconsistent and inaccurate risk assessments, risk treatments, and remediation plans. Manual approaches also often inefficient and expensive, and lack an easy way to compare results of multiple assessments. Since risks cannot be identified or assessed properly, losses, incidents, or other surprises related to the project may arise at a later date. Without visibility to or accountability in addressing known risks identified through bottom-up risk assessments, resource misallocation and slow implementation in risk treatment are the typical results.

 

RSA Archer Bottom-Up Risk Assessment

RSA Archer Bottom-Up Risk Assessment allows you to engage your teams via targeted project risk assessments. Projects can include such things as new and changing business processes, fraud assessments, new products and services, and proposed mergers, acquisitions, and divestitures.  Projects can be documented and questionnaires can be created with custom questions, as well as questions derived from RSA Archer’s extensive library of thousands of out-of-the-box questions. When risks are deemed too high, risk treatments and remediation plans can be documented and tracked through to resolution and approval.

 

Key features include:

  • Consistent approach to identify and assess project-related risk
  • Oversight and management of all risk assessments in process
  • Risk treatment plans are known across all assessments and implementation plans can be monitored to completion
  • Consolidated list of prioritized risk treatments and remediation plans
  • Visibility into assessment progress, risk treatments and remediation activity via pre-defined reports and risk dashboards
  • Named accountability for assessments and remediation plans

 

RSA Archer Bottom-Up Risk Assessment provides:

  • Consistent approach to identify and assess project-related risk
  • Oversight and management of all risk assessments in process
  • Known risk treatment plans across all assessments and implementation plans that can be monitored to completion
  • Consolidated list of prioritized risk treatments and remediation plans
  • Visibility into assessment progress, risk treatments and remediation activity via pre-defined reports and risk dashboards
  • Accountability for risk assessment and remediation activities

 

Today, organizations are faced with complex and fast moving operational risk challenges.  Tracking changing business activities is a core best practice in Operational Risk Management.  RSA Archer Bottom-Up Risk Assessment is a key element of an effective Operational and Integrated Risk Management program to assess risk associated with changing business activities.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively performing Bottom-Up risk assessments is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage risk assessments on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

 

 

Cross-site request forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application to which they are currently authenticated.

 

CSRF vulnerabilities may arise when applications rely solely on HTTP cookies to identify the user that has issued a particular request. Because browsers automatically add cookies to requests regardless of the request's origin, it may be possible for an attacker to create a malicious web site that forges a cross-domain request to the vulnerable application.

 

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email or chat), an attacker may force the users of a web application to execute actions of the attacker’s choosing. A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is the administrator account, a CSRF attack can compromise the entire web application.

 

 

CSRF relies on the following:

[1] Web browser behavior regarding the handling of session-re-lated information such as cookies and http authentication information;

 

[2] Knowledge by the attacker of valid web application URLs;

 

[3] Application session management relying only on information which is known by the browser;

 

[4] Existence of HTML tags whose presence cause immediate access to an http[s] resource; for example the image tag img.

 

Points 1, 2, and 3 are essential for the vulnerability to be present, while point 4 is accessory and facilitates the actual exploitation, but is not strictly required.

 

Point 1)

Browsers automatically send information which is used to identify a user session. Suppose site is a site hosting a web application, and the user victim has just authenticated himself to site. In response, site sends victim a cookie which identifies requests sent by victim as belonging to victim’s authenticated session. Basically, once the browser receives the cookie set by site, it will automatically send it along with any further requests directed to site.

 

Point 2)

If the application does not make use of session-related information in URLs, then it means that the application URLs, their parameters, and legitimate values may be identified (either by code analysis or by accessing the application and taking note of forms and URLs embedded in the HTML/JavaScript).

 

Point 3) ”Known by the browser” refers to information such as cookies, or http-based authentication information (such as Basic Authentication; and not form-based authentication), which are stored by the browser and subsequently resent at each request directed towards an application area requesting that authentication.

 

 

The vulnerabilities discussed next apply to applications which rely entirely on this kind of information to identify a user session.

Suppose, for simplicity’s sake, to refer to GET-accessible URLs (though the discussion applies as well to POST requests). If victim has already authenticated himself, submitting another request causes the cookie to be automatically sent with it (see picture, where the user accesses an application on www.example.com).

The GET request could be originated in several different ways:

  • by the user, who is using the actual web application;
  • by the user, who types the URL directly in the browser;
  • by the user, who follows a link (external to the application)pointing to the URL.

 

These invocations are indistinguishable by the application. In particular, the third may be quite dangerous. There are a number of techniques (and of vulnerabilities) which can disguise the real properties of a link. The link can be embedded in an email message, or appear in a malicious web site where the user is lured, i.e., the link appears in content hosted elsewhere (another web site, an HTML email message, etc.) and points to a resource of the application.

 

If the user clicks on the link, since it was already authenticated by the web application on site, the browser will issue a GET request to the web application, accompanied by authentication information (the session id cookie). This results in a valid operation performed on the web application and probably not what the user expects to happen. Think of a malicious link causing a fund transfer on a web banking application to appreciate the implications.

 

By using a tag such as img, as specified in point 4 above, it is not even necessary that the user follows a particular link.

 

 

Suppose the attacker sends the user an email inducing him to visit an URL referring to a page containing the following (oversimplified) HTML:

 

 

What the browser will do when it displays this page is that it will try to display the specified zero-width (i.e., invisible) image as well.

This results in a request being automatically sent to the web application hosted on site. It is not important that the image URL does not refer to a proper image, its presence will trigger the request specified in the src field anyway. This happens provided that image download is not disabled in the browsers, which is a typical

configuration since disabling images would cripple most web applications beyond usability.

 

The problem here is a consequence of the following facts:

  • there are HTML tags whose appearance in a page result in automatic http request execution (img being one of those);
  • the browser has no way to tell that the resource referenced by img is not actually an image and is in fact not legitimate;
  • image loading happens regardless of the location of the alleged image, i.e., the form and the image itself need not be located in the same host, not even in the same domain. While this is a very handy feature, it makes difficult to compartmentalize applications.

 

It is the fact that HTML content unrelated to the web application may refer components in the application, and the fact that the browser automatically composes a valid request towards the application, that allows such kind of attacks. As no standards are defined right now, there is no way to prohibit this behavior unless it is made impossible for the attacker to specify valid application URLs. This means that valid URLs must contain information related to the user session, which is supposedly not known to the attacker and therefore make the identification of such URLs impossible.

 

The problem might be even worse, since in integrated mail/browser environments simply displaying an email message containing the image would result in the execution of the request to the web application with the associated browser cookie.

 

Things may be obfuscated further, by referencing seemingly valid image URLs such as

where [attacker] is a site controlled by the attacker, and by utilizing a redirect mechanism on

 

Cookies are not the only example involved in this kind of vulnerability. Web applications whose session information is entirely supplied by the browser are vulnerable too. This includes applications relying on HTTP authentication mechanisms alone, since the authentication information is known by the browser and is sent

automatically upon each request. This DOES NOT include form based authentication, which occurs just once and generates some form of session-related information (of course, in this case, such information is expressed simply as a cookie and can we fall back to one of the previous cases).

 

 

Sample scenario

Let’s suppose that the victim is logged on to a firewall web managementapplication. To log in, a user has to authenticate himself and session information is stored in a cookie.

Let’s suppose the firewall web management application has a function that allows an authenticated user to delete a rule specified by its positional number, or all the rules of the configuration if the user enters ‘*’ (quite a dangerous feature, but it will make the example more interesting). The delete page is shown next. Let’s

suppose that the form – for the sake of simplicity – issues a GET request, which will be of the form (to delete rule number one)(to delete all rules).

The example is purposely quite naive, but shows in a simple way the dangers of CSRF.

 

 

Now, this is not the only possible scenario. The user might have accomplished the same results by manually submitting the URL or by following a link pointing, directly or via a redirection, to the above URL. Or, again, by accessing an HTML page with an embedded img tag pointing to the same URL.

 

In all of these cases, if the user is currently logged in the firewall management application, the request will succeed and will modify the configuration of the firewall. One can imagine attacks targeting sensitive applications and making automatic auction bids, money transfers, orders, changing the configuration of critical

software components, etc.

 

An interesting thing is that these vulnerabilities may be exercisedbehind a firewall; i.e., it is sufficient that the link being attacked be reachable by the victim (not directly by the attacker). In particular, it can be any Intranet web server; for example, the firewall management station mentioned before, which is unlikely to be exposed to the Internet.

 

Self-vulnerable applications, i.e., applications that are used both as attack vector and target (such as web mail applications), make things worse.

If such an application is vulnerable, the user is obviously logged in when he reads a message containing a CSRF attack, that can target the web mail application and have it perform actions such as deleting messages, sending messages appearing as sent by the user, etc.

 

 

 

How to Test:

Black Box Testing

For a black box test the tester must know URLs in the restricted

(authenticated) area. If they possess valid credentials, they

can assume both roles – the attacker and the victim. In this case,

testers know the URLs to be tested just by browsing around the

application.

Otherwise, if testers don’t have valid credentials available, they

have to organize a real attack, and so induce a legitimate, logged

in user into following an appropriate link. This may involve a substantial

level of social engineering.

Either way, a test case can be constructed as follows:

  • let u the URL being tested; for example, u =

http://www.example.com/action

  • build an html page containing the http request referencing URL

u (specifying all relevant parameters; in the case of http GET this

is straightforward, while to a POST request you need to resort to

some Javascript);

  • make sure that the valid user is logged on the application;
  • induce him into following the link pointing to the URL to be

tested (social engineering involved if you cannot impersonate

the user yourself);

  • observe the result, i.e. check if the web server executed the

request.

 

 

Gray Box Testing

Audit the application to ascertain if its session management is

vulnerable. If session management relies only on client side values

(information available to the browser), then the application is

vulnerable. “Client side values” mean cookies and HTTP authentication

credentials (Basic Authentication and other forms of HTTP

authentication; not form-based authentication, which is an application-

level authentication). For an application to not be vulnerable,

it must include session-related information in the URL, in a

form of unidentifiable or unpredictable by the user ([3] uses the

term secret to refer to this piece of information).

Resources accessible via HTTP GET requests are easily vulnerable,

though POST requests can be automated via Javascript and are

vulnerable as well; therefore, the use of POST alone is not enough

to correct the occurrence of CSRF vulnerabilities.

 

 

Tools

Category:OWASP_WebScarab_Project

Category:OWASP_CSRFTester_Project

site_request_forgery.php (via img)

site_framing.php (via iframe)

Remediation

 

 

 

 

The following countermeasures are divided among recommendations to users and to developers.

 

Users

Since CSRF vulnerabilities are reportedly widespread, it is recommended

to follow best practices to mitigate risk. Some mitigating

actions are:

  • Logoff immediately after using a web application
  • Do not allow the browser to save username/passwords, and do

not allow sites to “remember” the log in details.

  • Do not use the same browser to access sensitive applications

and to surf freely the Internet; if it is necessary to do both things

at the same machine, do them with separate browsers.

Integrated HTML-enabled mail/browser, newsreader/browser

environments pose additional risks since simply viewing a mail

message or a news message might lead to the execution of an

attack.

 

 

Developers

Add session-related information to the URL. What makes the

attack possible is the fact that the session is uniquely identified

by the cookie, which is automatically sent by the browser. Having

other session-specific information being generated at the URL

level makes it difficult to the attacker to know the structure of

URLs to attack.

Other countermeasures, while they do not resolve the issue, contribute

to make it harder to exploit:

  • Use POST instead of GET. While POST requests may be simulated

by means of JavaScript, they make it more complex to mount an

attack.

  • The same is true with intermediate confirmation pages (such as:

“Are you sure you really want to do this?” type of pages).

They can be bypassed by an attacker, although they will make

their work a bit more complex. Therefore, do not rely solely on

these measures to protect your application.

  • Automatic log out mechanisms somewhat mitigate the

exposure to these vulnerabilities, though it ultimately depends

on the context (a user who works all day long on a vulnerable

web banking application is obviously more at risk than a user

who uses the same application occasionally).

 

 

 

Description of CSRF Vulnerabilities -

See the OWASP article on CSRF Vulnerabilities.

How to Avoid CSRF Vulnerabilities -

See the OWASP Development Guide article on how to Avoid

CSRF Vulnerabilities.

How to Review Code for CSRF Vulnerabilities -

See the OWASP Code Review Guide article on how to Review

Code for CSRF Vulnerabilities.

How to Prevent CSRF Vulnerabilites -

See the OWASP CSRF Prevention Cheat Sheet for prevention

measures.

 

 

 

 

 

 

In this example we will be using Burp’s CSRF PoC generator to help us hijack a user's account by changing their details (the email address associated with the account) on an old, vulnerable version of “GETBOO”.

The version of “GETBOO” we are using is taken from OWASP’s Broken Web Application Project. Find out how to download, install and use this project.

 

 

 

Burp Scanner is able to locate potential CSRF issues.

The Scanner identifies a number of conditions, including when an application relies solely on HTTP cookies to identify the user, that result in a request being vulnerable to CSRF.

 

 

To manually test for CSRF vulnerabilities, first, ensure that Burp is correctly configured with your browser.

 

In the Burp Proxy "Intercept" tab, ensure "Intercept is off".

Visit the web application you are testing in your browser.

 

Ensure you are authenticated to the web application you are testing.

 

In this example by logging in to the application.

You can log in using the credentials user:user.

 

Access the page you are testing.

Alter the value in the field/s you wish to change, in this case “Email”.

 

In this example we will add a number to the email.

 

Return to Burp.

 

In the Proxy "Intercept" tab, ensure "Intercept is on".

Submit the request so that it is captured by Burp.

 

In the "Proxy" tab, right click on the raw request to bring up the context menu.

 

Go to the “Engagement tools” options and click “Generate CSRF PoC”.

 

Note: You can also generate CSRF PoC's via the context menu in any location where HTTP requests are shown, such as the site map or Proxy history.

 

 

In the "CSRF PoC generator" window you should alter the value of the user supplied input.

 

In this example we will change to "newemail@malicious.com".

 

In the same window, click “Copy HTML”.

 

Open a text editor and paste the copied HTML.

 

Save the file as a HTML file.

 

In the Proxy "Intercept" tab, ensure "Intercept is off".

 

If necessary, log back in to the application.

 

Initially we will test the attack on the same account.

 

Open the HTML file in the same browser.

 

Dependent on the CSRF PoC options you may need to submit the request or it may be submitted automatically.

 

 

In this case we are submitting the request manually.

 

If the attack has been successful and the account information has been successfully changed, this serves as an initial check to verify whether the attack is plausible.

Now login to the application using a different account (in this example the admin account for the application).

 

Once you are logged in, perform the attack again by opening the file in the same browser.

The attack is successful if the account information in the web application has been altered.

 

A successful attack shows that the web application is vulnerable to CSRF.

For the attack to fire in a real world environment, the victim needs to access a page under the attacker's control while authenticated.

 

In our example web application, a new password can be set for the account using the email address. In this way an attacker could gain full ownership 

 

 

 

 

Generate CSRF PoC:

This function can be used to generate a proof-of-concept (PoC) cross-site request forgery (CSRF) attack for a given request.

To access this function, select a URL or HTTP request anywhere within Burp, and choose "Generate CSRF PoC" within "Engagement tools" in the context menu.

When you execute this function, Burp shows the full request you selected in the top panel, and the generated CSRF HTML in the lower panel. The HTML uses a form and/or JavaScript to generate the required request in the browser.

You can edit the request manually, and click the "Regenerate" button to regenerate the CSRF HTML based on the updated request.

You can test the effectiveness of the generated PoC in your browser, using the "Test in browser" button. When you select this option, Burp gives you a unique URL that you can paste into your browser (configured to use the current instance of Burp as its proxy). The resulting browser request is served by Burp with the currently displayed HTML, and you can then determine whether the PoC is effective by monitoring the resulting request(s) that are made through the Proxy.

Some points should be noted regarding CSRF techniques:

  • The cross-domain XmlHttpRequest (XHR) technique only works on modern HTML5-capable browsers that support cross-origin resource sharing (CORS). The technique has been tested on current versions of Firefox, Internet Explorer and Chrome. The browser must have JavaScript enabled. Note that with this technique, the application's response is not processed by the browser in the normal way, so it is not suitable for making cross-domain requests to deliver reflected cross-site scripting (XSS) attacks. Cross-domain XHR is subject to various restrictions which may prevent it from working with some request features. Burp will display a warning in the CSRF PoC generator if this is liable to occur.
  • Some requests have bodies (e.g. XML or JSON) that can only be generated using either a form with plain text encoding, or a cross-domain XHR. In the former case, the resulting request will include the header "Content-Type: text/plain". In the latter case, the request can include any Content-Type header, but will only qualify as a "simple" cross-domain request (and so avoid the need for a pre-flight request which typically breaks the attack) if the Content-Type header has one of the standard values that may be specified for normal HTML forms. In some cases, although the message body exactly matches that required for the attack request, the application may reject the request due to an unexpected Content-Type header. Such CSRF-like conditions might not be practically exploitable. Burp will display a warning in the CSRF PoC generator if this is liable to occur.
  • If you manually select a CSRF technique that cannot be used to produce the required request, Burp will generate a best effort at a PoC and will display a warning.
  • If the CSRF PoC generator is using plain text encoding, then the request body must contain an equals character in order for Burp to generate an HTML form which results in that exact body. If the original request does not contain an equals character, then you may be able to introduce one into a suitable position in the request, without affecting the server's processing of it.

CSRF PoC options

The following options are available:

  • CSRF technique - This option lets you specify the type of CSRF technique to use in the HTML that generates the CSRF request. The "Auto" option is generally preferred, and causes Burp to select the most appropriate technique capable of generating the required request.
  • Include auto-submit script - Using this option causes Burp to include a script in the HTML that causes a JavaScript-enabled browser to automatically issue the CSRF request when the page is loaded.

 

From <https://portswigger.net/burp/documentation/desktop/functions/generate-csrf-poc>

Filter Blog

By date: By tag: