Web Application Security | Beginner Session - Cross Site Request Forgery

100 %
0 %
Information about Web Application Security | Beginner Session - Cross Site Request Forgery

Published on February 27, 2014

Author: null0x00

Source: slideshare.net


null Bangalore February meet

CSRF/XSRF? (pronounced as „sea-surf‟) It‟s BAD. How? 1

How? Suppose you have an online bank account and you‟re already authenticated (you have already logged-in). 2

How? Now, you clicked on link from another website, maybe from a comment. Ex. <a href=”http://bankwebsite.com/transfermoney.hmtl”>I posted photos</a> This will just look like: I posted photos 3

How? Your bank website would not know that is not really your intention. 4

What is it?  Attacker exploits the fact that the victim is authenticated to a website Identifying the attacker can be difficult  What can it do?   Proxy requests/commands for the attacker from the victim‟s browser  Even POSTS can be forged as GET requests in some cases  Web forms One Click Demo in module 5

How it is exploited?   Can be very simple – Image link in email, script on a blog, simple link Attackers gets user to  Click a specially crafted link (or inject JavaScript to a site victim visits)  Execute a request (can be very simple as requesting an image url in email)  Innocently browsing a web site  Can users include hrefs or Image links to your site? Link to bad url   Ever click “view images” in an email? All browsers happily send over credentials if already logged on  If already logged in (forms auth) the cookie is sent over even for an image request 6


CSRF – HOW IT IS EXPLOITED? DEMO – Repeatability is the key 8

CSRF – HOW IT IS EXPLOITED? DEMO – Piggyback with some other attack like XSS 9

CSRF – POSTs protect me  They do, don‟t they? Don‟t they? Hello?  Web Forms One Click attack  Page.IsPostBack doesn‟t always tell the truth  A button click doesn‟t always mean someone click the button 10

How do you prevent it?  All Web Apps  Ensure GET only retrieves a resource (as per HTTP Spec)  No state is modified  POSTS/PUT/DELETE can be forged, must take additional precautions  Try to make requests unique and non-repeatable 11

CSRF Defenses  CAPTCHA  Attacker must know CAPTCHA answer  Assuming a secure implementation  Re-Authentication  Password Based ○ Attacker must know victims password ○ If password is known, then game over already!  One-Time Token ○ Attacker must know current token ○ Very strong defense!  Unique Request Tokens  Attacker must know unique request token for particular victim for particular session  Assumes token is cryptographically secure and not disclosed. ○ /accounts?auth=687965fdfaew87agrde … 12

Web Forms – CSRF Prevention DEMO 13

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Web application security - Wikipedia, the free encyclopedia

Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services.
Read more


The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the ...
Read more

Chapter 1- Web Application Security Fundamentals

Improving Web Application Security: Threats and Countermeasures. J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Read more

Diese neue Domain wurde im Kundenauftrag registriert.

Warum wird diese Seite angezeigt? Diese Seite wurde automatisch erstellt. Sie wird bei jeder neuen Domain hinterlegt und zeigt, dass die neue Domain ...
Read more

Web Application Security - VOQUZ: IT-Solutions für alles

Startseite / Secure IT Systems / Web Application Security. German. English. Web Application Security .
Read more

Web Application Security - Protect Your Applications and ...

Web Application Security solutions from Imperva enable you to prevent breaches and downtime by securing your applications against web attacks, DDoS, a...
Read more

Improving Web Application Security: Threats and ...

Related Links. Errata Page. patterns and practices Index. Buy "Improving Web Application Security: Threats and Countermeasures" from Shop. Building Secure ...
Read more

Web-Application-Security – Schutz für Ihre ...

Imperva Incapsula, ist ein einfacher und kostengünstiger Service für Web-Application-Security. Imperva Incapsula schützt Ihre gesamten Web-Ressourcen ...
Read more

Web Application Security | Software for Web App Security

Web Application Security. Headlines like “Web Application Vulnerabilities Continue to Skyrocket,” and “9 Ways Web Apps Woo Hackers,” are timeless.
Read more

Application security - Wikipedia, the free encyclopedia

Methodology. According to the patterns & practices Improving Web Application Security book, a principle-based approach for application security includes: [1]
Read more