• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CSRF
 

CSRF

on

  • 832 views

Application security, https, web security, sniffing, cryptography, owasp, vulnerability, threat, exploit, webgoat, samurai WTF, webscarab, w3af, zed proxy, acunetix, burpsuite, secure authentication, ...

Application security, https, web security, sniffing, cryptography, owasp, vulnerability, threat, exploit, webgoat, samurai WTF, webscarab, w3af, zed proxy, acunetix, burpsuite, secure authentication, parameter modification, sql injection, session ID prediction, session management, cross site scripting, reflected xss, stored xss, application security proxy, xst, csrf

Statistics

Views

Total Views
832
Views on SlideShare
832
Embed Views
0

Actions

Likes
0
Downloads
23
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CSRF CSRF Presentation Transcript

    • SEA SURFING HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE…Dilan Warnakulasooriya Asanka FernandopulleInformation Security Engineer Senior Software Engineer99X Technology 99X Technology
    • What is it? Cross Site Request Forgery – Sea Surrrrrfff Attacker exploits the fact that the victim is authenticated to a website Identifying the attacker can be difficult What can it do?  Proxy requests/commands for the attacker from the victim’s browser Even POSTS can be forged as GET requests in some cases  Web forms One Click Demo in moduleJanuary 1, 2013 99X Technology(c) 2
    • How it is exploited? Can be very simple – Image link in email, script on a blog, simple link Attackers gets user to  Click a specially crafted link (or inject JavaScript to a site victim visits)  Execute a request (can be very simple as requesting an image url in email) Innocently browsing a web site  Can users include hrefs or Image links to your site? Link to bad url Ever click “view images” in an email? All browsers happily send over credentials if already logged on  If already logged in (forms auth) the cookie is sent over even for an image request  Some are invisible! IE default settingJanuary 1, 2013 99X Technology(c) 3
    • CSRF – HOW IT IS EXPLOITED?DEMOJanuary 1, 2013 99X Technology(c) 4
    • CSRF – HOW IT IS EXPLOITED?DEMO – Repeatability is the keyJanuary 1, 2013 99X Technology(c) 5
    • CSRF – HOW IT IS EXPLOITED?DEMO – Piggyback with some other attack like XSSJanuary 1, 2013 99X Technology(c) 6
    • CSRF – POSTs protect me They do, don’t they? Don’t they? Hello? MVC CSRF via XSS Web Forms One Click attack  Page.IsPostBack doesn’t always tell the truth  A button click doesn’t always mean someone click the buttonJanuary 1, 2013 99X Technology(c) 7
    • How do you prevent it? All Web Apps  Ensure GET only retrieves a resource (as per HTTP Spec)  No state is modified  POSTS/PUT/DELETE can be forged, must take additional precautions  Try to make requests unique and non-repeatable Web forms specific  ViewStateUserKey = Session.SessionId  ViewState then acts as a form token  Must protect the Session Ids(Using Encryption, Hashing)  Pages inherit from the base web page  SSL to prevent sniffing of ViewState & SessionId MVC Specific  Anti-Forgery token uses form value AND cookie value  SSL to prevent from sniffing Anti-Forgery tokenJanuary 1, 2013 99X Technology(c) 8
    • Web Forms – CSRF PreventionDEMOJanuary 1, 2013 99X Technology(c) 9
    • MVC – CSRF PreventionDEMOJanuary 1, 2013 99X Technology(c) 10