CSRF Web Vulnerabilities – Nikita Makeyev

1,123 views
1,027 views

Published on

CSRF Web Vulnerabilities – Nikita Makeyev
Submitted for BarCamp Memphis 2010

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,123
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • ASK: how many freelancers? ASK: How many business owners?
  • CSRF Web Vulnerabilities – Nikita Makeyev

    1. 1. <ul>Welcome Cross Site Request Forgery (CSRF) Nikita Makeyev, CoreCommerce </ul>
    2. 2. * Cross Site Request Forgery * CSRF * XSRF * One-Click Attack * Session Riding <ul>Cross Site Request What? </ul>
    3. 3. <ul><li>Step 1 :
    4. 4. Attacker finds a website that: </li><ul><li>performs an action upon a GET request
    5. 5. OR
    6. 6. performs an action upon a POST request
    7. 7. but doesn't differentiate between POST
    8. 8. and GET data </li></ul></ul><ul><li>How Does It Work? </li></ul>
    9. 9. <ul><li>Step 2 : </li><ul><li>Attacker constructs a string that simulates
    10. 10. a server action request and includes it as
    11. 11. a src of an image or a script on a bunch of
    12. 12. sites - blogs, forums, malicious sites, etc. </li></ul></ul><ul><ul><li><img src=” https://www.mybank.com/account.php?m=update_account &submit=Y&email=hostile@evil.com ” alt=”image” /> </li></ul></ul><ul><li>How Does It Work? </li></ul>
    13. 13. <ul><li>Step 3 : </li><ul><li>Legitimate user accesses
    14. 14. https://www.mybank.com/account.php ,
    15. 15. logs in and then happens to visit one of
    16. 16. the compromised pages. </li></ul></ul><ul><li>How Does It Work? </li></ul>
    17. 17. <ul><li>Step 4: </li><ul><li>Attacker checks
    18. 18. https://www.mybank.com/account.php
    19. 19. every day and attempts to use the forgot
    20. 20. password feature using [email_address] </li></ul></ul><ul><li>How Does It Work? </li></ul>
    21. 21. <ul><ul><li>Web developers aren't as familiar with this vulnerability as some other ones (XSS, SQL injection)
    22. 22. Site relying on user identity
    23. 23. Attacker able to find a form submission or a URL that performs action
    24. 24. Attacker must lure victim to a page with malicious code </li></ul></ul><ul><li>What Makes It Possible? </li></ul>
    25. 25. <ul><ul><li>Undetectable by automated scanners
    26. 26. No damage ceiling
    27. 27. The attack is silent
    28. 28. Easily mountable
    29. 29. Combines with XSS </li></ul></ul><ul>Why Is It Dangerous? </ul>
    30. 30. <ul><ul><li>Do not use REQUEST
    31. 31. Only use POST to initiate actions
    32. 32. Checking the HTTP Referrer header
    33. 33. Use random server generated user-specific token in all form submission </li></ul></ul><form action=”index.php” method=”POST”> … <input type=”hidden” name=”<?php print $oneTimeTokenName” value=”<?php print $oneTimeTokenValue” /> ... </form> <ul>How Do I Prevent It? </ul>
    34. 34. <ul>Questions & Discussion </ul>

    ×