Published on February 27, 2014
CSRF/XSRF? (pronounced as „sea-surf‟) It‟s BAD. How? 1
How? Suppose you have an online bank account and you‟re already authenticated (you have already logged-in). 2
How? Now, you clicked on link from another website, maybe from a comment. Ex. <a href=”http://bankwebsite.com/transfermoney.hmtl”>I posted photos</a> This will just look like: I posted photos 3
How? Your bank website would not know that is not really your intention. 4
What is it? Attacker exploits the fact that the victim is authenticated to a website Identifying the attacker can be difficult What can it do? Proxy requests/commands for the attacker from the victim‟s browser Even POSTS can be forged as GET requests in some cases Web forms One Click Demo in module 5
CSRF – HOW IT IS EXPLOITED? DEMO 7
CSRF – HOW IT IS EXPLOITED? DEMO – Repeatability is the key 8
CSRF – HOW IT IS EXPLOITED? DEMO – Piggyback with some other attack like XSS 9
CSRF – POSTs protect me They do, don‟t they? Don‟t they? Hello? Web Forms One Click attack Page.IsPostBack doesn‟t always tell the truth A button click doesn‟t always mean someone click the button 10
How do you prevent it? All Web Apps Ensure GET only retrieves a resource (as per HTTP Spec) No state is modified POSTS/PUT/DELETE can be forged, must take additional precautions Try to make requests unique and non-repeatable 11
CSRF Defenses CAPTCHA Attacker must know CAPTCHA answer Assuming a secure implementation Re-Authentication Password Based ○ Attacker must know victims password ○ If password is known, then game over already! One-Time Token ○ Attacker must know current token ○ Very strong defense! Unique Request Tokens Attacker must know unique request token for particular victim for particular session Assumes token is cryptographically secure and not disclosed. ○ /accounts?auth=687965fdfaew87agrde … 12
Web Forms – CSRF Prevention DEMO 13
Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services.
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the ...
Improving Web Application Security: Threats and Countermeasures. J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Warum wird diese Seite angezeigt? Diese Seite wurde automatisch erstellt. Sie wird bei jeder neuen Domain hinterlegt und zeigt, dass die neue Domain ...
Startseite / Secure IT Systems / Web Application Security. German. English. Web Application Security .
Web Application Security solutions from Imperva enable you to prevent breaches and downtime by securing your applications against web attacks, DDoS, a...
Related Links. Errata Page. patterns and practices Index. Buy "Improving Web Application Security: Threats and Countermeasures" from Shop. Building Secure ...
Imperva Incapsula, ist ein einfacher und kostengünstiger Service für Web-Application-Security. Imperva Incapsula schützt Ihre gesamten Web-Ressourcen ...
Web Application Security. Headlines like “Web Application Vulnerabilities Continue to Skyrocket,” and “9 Ways Web Apps Woo Hackers,” are timeless.
Methodology. According to the patterns & practices Improving Web Application Security book, a principle-based approach for application security includes: