General Best Practices:Setting a short time period for the users session
(pronounced as „sea-surf‟)
It‟s BAD. How?
Suppose you have an online bank account and
you‟re already authenticated (you have already
Now, you clicked on link from another
website, maybe from a comment. Ex.
<a href=”http://bankwebsite.com/transfermoney.hmtl”>I posted photos</a>
This will just look like: I posted photos
Your bank website would not know that is not
really your intention.
5. What is it?
Attacker exploits the fact that the victim is authenticated to
Identifying the attacker can be difficult
What can it do?
Proxy requests/commands for the attacker from the victim‟s
Even POSTS can be forged as GET requests in some
Web forms One Click Demo in module
6. How it is exploited?
Can be very simple – Image link in email, script on a blog,
Attackers gets user to
Execute a request (can be very simple as requesting an image url in email)
Innocently browsing a web site
Can users include hrefs or Image links to your site? Link to bad url
Ever click “view images” in an email?
All browsers happily send over credentials if already
If already logged in (forms auth) the cookie is sent over even for an
7. CSRF – HOW IT IS EXPLOITED?
8. CSRF – HOW IT IS EXPLOITED?
DEMO – Repeatability is the key
9. CSRF – HOW IT IS EXPLOITED?
DEMO – Piggyback with some other attack like XSS
10. CSRF – POSTs protect me
They do, don‟t they? Don‟t they? Hello?
Web Forms One Click attack
Page.IsPostBack doesn‟t always tell the truth
A button click doesn‟t always mean someone click the button
11. How do you prevent it?
All Web Apps
Ensure GET only retrieves a resource (as per HTTP Spec)
No state is modified
POSTS/PUT/DELETE can be forged, must take additional
Try to make requests unique and non-repeatable
12. CSRF Defenses
Attacker must know CAPTCHA answer
Assuming a secure implementation
○ Attacker must know victims password
○ If password is known, then game over already!
○ Attacker must know current token
○ Very strong defense!
Unique Request Tokens
Attacker must know unique request
token for particular victim for particular session
Assumes token is cryptographically secure and not
○ /accounts?auth=687965fdfaew87agrde …