CSRF/XSRF?
(pronounced as „sea-surf‟)

It‟s BAD. How?

1
How?
Suppose you have an online bank account and
you‟re already authenticated (you have already
logged-in).

2
How?
Now, you clicked on link from another
website, maybe from a comment. Ex.

<a href=”http://bankwebsite.com/transfermon...
How?
Your bank website would not know that is not
really your intention.

4
What is it?


Attacker exploits the fact that the victim is authenticated to
a website
Identifying the attacker can be di...
How it is exploited?



Can be very simple – Image link in email, script on a blog,
simple link
Attackers gets user to
...
CSRF – HOW IT IS EXPLOITED?

DEMO

7
CSRF – HOW IT IS EXPLOITED?

DEMO – Repeatability is the key

8
CSRF – HOW IT IS EXPLOITED?

DEMO – Piggyback with some other attack like XSS

9
CSRF – POSTs protect me


They do, don‟t they? Don‟t they? Hello?



Web Forms One Click attack
 Page.IsPostBack doesn‟...
How do you prevent it?


All Web Apps
 Ensure GET only retrieves a resource (as per HTTP Spec)

 No state is modified
...
CSRF Defenses


CAPTCHA
 Attacker must know CAPTCHA answer
 Assuming a secure implementation



Re-Authentication
 Pa...
Web Forms – CSRF Prevention

DEMO

13
Upcoming SlideShare
Loading in...5
×

Web Application Security | Beginner Session - Cross Site Request Forgery

1,505

Published on

null Bangalore February meet

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,505
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • General Best Practices:Setting a short time period for the users session
  • Web Application Security | Beginner Session - Cross Site Request Forgery

    1. 1. CSRF/XSRF? (pronounced as „sea-surf‟) It‟s BAD. How? 1
    2. 2. How? Suppose you have an online bank account and you‟re already authenticated (you have already logged-in). 2
    3. 3. How? Now, you clicked on link from another website, maybe from a comment. Ex. <a href=”http://bankwebsite.com/transfermoney.hmtl”>I posted photos</a> This will just look like: I posted photos 3
    4. 4. How? Your bank website would not know that is not really your intention. 4
    5. 5. What is it?  Attacker exploits the fact that the victim is authenticated to a website Identifying the attacker can be difficult  What can it do?   Proxy requests/commands for the attacker from the victim‟s browser  Even POSTS can be forged as GET requests in some cases  Web forms One Click Demo in module 5
    6. 6. How it is exploited?   Can be very simple – Image link in email, script on a blog, simple link Attackers gets user to  Click a specially crafted link (or inject JavaScript to a site victim visits)  Execute a request (can be very simple as requesting an image url in email)  Innocently browsing a web site  Can users include hrefs or Image links to your site? Link to bad url   Ever click “view images” in an email? All browsers happily send over credentials if already logged on  If already logged in (forms auth) the cookie is sent over even for an image request 6
    7. 7. CSRF – HOW IT IS EXPLOITED? DEMO 7
    8. 8. CSRF – HOW IT IS EXPLOITED? DEMO – Repeatability is the key 8
    9. 9. CSRF – HOW IT IS EXPLOITED? DEMO – Piggyback with some other attack like XSS 9
    10. 10. CSRF – POSTs protect me  They do, don‟t they? Don‟t they? Hello?  Web Forms One Click attack  Page.IsPostBack doesn‟t always tell the truth  A button click doesn‟t always mean someone click the button 10
    11. 11. How do you prevent it?  All Web Apps  Ensure GET only retrieves a resource (as per HTTP Spec)  No state is modified  POSTS/PUT/DELETE can be forged, must take additional precautions  Try to make requests unique and non-repeatable 11
    12. 12. CSRF Defenses  CAPTCHA  Attacker must know CAPTCHA answer  Assuming a secure implementation  Re-Authentication  Password Based ○ Attacker must know victims password ○ If password is known, then game over already!  One-Time Token ○ Attacker must know current token ○ Very strong defense!  Unique Request Tokens  Attacker must know unique request token for particular victim for particular session  Assumes token is cryptographically secure and not disclosed. ○ /accounts?auth=687965fdfaew87agrde … 12
    13. 13. Web Forms – CSRF Prevention DEMO 13
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×