SlideShare a Scribd company logo

CSRF

Download as PPTX, PDF
Dilan Warnakulasooriya
Dilan Warnakulasooriya

This document discusses cross-site request forgery (CSRF) and how to prevent it. It begins by explaining what CSRF is, how it exploits user authentication to make requests on a victim's behalf. It then demonstrates CSRF by having the user unknowingly click a link to perform actions on another site they are logged into. The document discusses how GET requests, POSTs, and JavaScript can all enable CSRF. It recommends making requests unique and non-repeatable to prevent CSRF. For web forms, it suggests using viewstate tied to session ID, and for MVC using anti-forgery tokens from both cookie and form values. Code demos are provided for CSRF prevention in web forms and M

Technology
1 of 10
SEA SURFING HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE… Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology
What is it?  Cross Site Request Forgery – Sea Surrrrrfff  Attacker exploits the fact that the victim is authenticated to a website  Identifying the attacker can be difficult  What can it do?  Proxy requests/commands for the attacker from the victim’s browser  Even POSTS can be forged as GET requests in some cases  Web forms One Click Demo in module January 1, 2013 99X Technology(c) 2
How it is exploited?  Can be very simple – Image link in email, script on a blog, simple link  Attackers gets user to  Click a specially crafted link (or inject JavaScript to a site victim visits)  Execute a request (can be very simple as requesting an image url in email)  Innocently browsing a web site  Can users include hrefs or Image links to your site? Link to bad url  Ever click “view images” in an email?  All browsers happily send over credentials if already logged on  If already logged in (forms auth) the cookie is sent over even for an image request  Some are invisible! IE default setting January 1, 2013 99X Technology(c) 3
CSRF – HOW IT IS EXPLOITED? DEMO January 1, 2013 99X Technology(c) 4
CSRF – HOW IT IS EXPLOITED? DEMO – Repeatability is the key January 1, 2013 99X Technology(c) 5
CSRF – HOW IT IS EXPLOITED? DEMO – Piggyback with some other attack like XSS January 1, 2013 99X Technology(c) 6
CSRF – POSTs protect me  They do, don’t they? Don’t they? Hello?  MVC CSRF via XSS  Web Forms One Click attack  Page.IsPostBack doesn’t always tell the truth  A button click doesn’t always mean someone click the button January 1, 2013 99X Technology(c) 7
How do you prevent it?  All Web Apps  Ensure GET only retrieves a resource (as per HTTP Spec)  No state is modified  POSTS/PUT/DELETE can be forged, must take additional precautions  Try to make requests unique and non-repeatable  Web forms specific  ViewStateUserKey = Session.SessionId  ViewState then acts as a form token  Must protect the Session Ids(Using Encryption, Hashing)  Pages inherit from the base web page  SSL to prevent sniffing of ViewState & SessionId  MVC Specific  Anti-Forgery token uses form value AND cookie value  SSL to prevent from sniffing Anti-Forgery token January 1, 2013 99X Technology(c) 8
Web Forms – CSRF Prevention DEMO January 1, 2013 99X Technology(c) 9
MVC – CSRF Prevention DEMO January 1, 2013 99X Technology(c) 10

Recommended

TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detector
guest31a5be
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing Msd
Aung Khant
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
Raghunath G
 
Intro to Wordpress Security
Intro to Wordpress SecurityIntro to Wordpress Security
Intro to Wordpress Security
Chris Dodds
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
HarishKumar1779
 
Webmatrix 2 beta
Webmatrix 2 betaWebmatrix 2 beta
Webmatrix 2 beta
Tom Crombez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
Tony Perez
 

Recommended

TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detector
guest31a5be
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing Msd
Aung Khant
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthan
Raghunath G
 
Intro to Wordpress Security
Intro to Wordpress SecurityIntro to Wordpress Security
Intro to Wordpress Security
Chris Dodds
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
HarishKumar1779
 
Webmatrix 2 beta
Webmatrix 2 betaWebmatrix 2 beta
Webmatrix 2 beta
Tom Crombez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
Tony Perez
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
Pratimesh Pathak
 
Compassmarket 08-12
Compassmarket 08-12Compassmarket 08-12
Compassmarket 08-12
thetradinforex
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
Tony Perez
 
SSO To go
SSO To goSSO To go
SSO To go
Marcus Deglos
 
Browser security
Browser securityBrowser security
Browser security
RitikRathaur
 
Phase 2
Phase 2Phase 2
Phase 2
Gopal Krishna Potanaboyina
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website
أحلام انصارى
 
Iniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linuxIniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linux
James Jara
 
Secure coding
Secure codingSecure coding
Secure coding
Dilan Warnakulasooriya
 
Application security overview
Application security overviewApplication security overview
Application security overview
Dilan Warnakulasooriya
 
Session Hijacking
Session HijackingSession Hijacking
Session Hijacking
Dilan Warnakulasooriya
 
Application security overview
Application security overviewApplication security overview
Application security overview
Dilan Warnakulasooriya
 
webscarab
webscarabwebscarab
webscarab
Dilan Warnakulasooriya
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
Dilan Warnakulasooriya
 
Sql injection
Sql injectionSql injection
Sql injection
Dilan Warnakulasooriya
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
Dilan Warnakulasooriya
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
InnoTech
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
Joe McCray
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
Claranet UK
 

More Related Content

What's hot

Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website
أحلام انصارى
 
Iniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linuxIniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linux
James Jara
 

What's hot (9)

Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
Compassmarket 08-12
Compassmarket 08-12Compassmarket 08-12
Compassmarket 08-12
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
 
SSO To go
SSO To goSSO To go
SSO To go
 
Browser security
Browser securityBrowser security
Browser security
 
Phase 2
Phase 2Phase 2
Phase 2
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website
 
Iniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linuxIniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linux
 

Viewers also liked

Viewers also liked (8)

Secure coding
Secure codingSecure coding
Secure coding
 
Application security overview
Application security overviewApplication security overview
Application security overview
 
Session Hijacking
Session HijackingSession Hijacking
Session Hijacking
 
Application security overview
Application security overviewApplication security overview
Application security overview
 
webscarab
webscarabwebscarab
webscarab
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Sql injection
Sql injectionSql injection
Sql injection
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
 

Similar to CSRF

How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
Claranet UK
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Boston Institute of Analytics
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
jaxconf
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 

Similar to CSRF (20)

Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

CSRF

  • 1. SEA SURFING HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE… Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology
  • 2. What is it?  Cross Site Request Forgery – Sea Surrrrrfff  Attacker exploits the fact that the victim is authenticated to a website  Identifying the attacker can be difficult  What can it do?  Proxy requests/commands for the attacker from the victim’s browser  Even POSTS can be forged as GET requests in some cases  Web forms One Click Demo in module January 1, 2013 99X Technology(c) 2
  • 3. How it is exploited?  Can be very simple – Image link in email, script on a blog, simple link  Attackers gets user to  Click a specially crafted link (or inject JavaScript to a site victim visits)  Execute a request (can be very simple as requesting an image url in email)  Innocently browsing a web site  Can users include hrefs or Image links to your site? Link to bad url  Ever click “view images” in an email?  All browsers happily send over credentials if already logged on  If already logged in (forms auth) the cookie is sent over even for an image request  Some are invisible! IE default setting January 1, 2013 99X Technology(c) 3
  • 4. CSRF – HOW IT IS EXPLOITED? DEMO January 1, 2013 99X Technology(c) 4
  • 5. CSRF – HOW IT IS EXPLOITED? DEMO – Repeatability is the key January 1, 2013 99X Technology(c) 5
  • 6. CSRF – HOW IT IS EXPLOITED? DEMO – Piggyback with some other attack like XSS January 1, 2013 99X Technology(c) 6
  • 7. CSRF – POSTs protect me  They do, don’t they? Don’t they? Hello?  MVC CSRF via XSS  Web Forms One Click attack  Page.IsPostBack doesn’t always tell the truth  A button click doesn’t always mean someone click the button January 1, 2013 99X Technology(c) 7
  • 8. How do you prevent it?  All Web Apps  Ensure GET only retrieves a resource (as per HTTP Spec)  No state is modified  POSTS/PUT/DELETE can be forged, must take additional precautions  Try to make requests unique and non-repeatable  Web forms specific  ViewStateUserKey = Session.SessionId  ViewState then acts as a form token  Must protect the Session Ids(Using Encryption, Hashing)  Pages inherit from the base web page  SSL to prevent sniffing of ViewState & SessionId  MVC Specific  Anti-Forgery token uses form value AND cookie value  SSL to prevent from sniffing Anti-Forgery token January 1, 2013 99X Technology(c) 8
  • 9. Web Forms – CSRF Prevention DEMO January 1, 2013 99X Technology(c) 9
  • 10. MVC – CSRF Prevention DEMO January 1, 2013 99X Technology(c) 10