Web Application Security | Beginner Session - Cross Site Request Forgery
Upcoming SlideShare
Loading in...5

Like this? Share it with your network

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 298

http://null.co.in 298

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • General Best Practices:Setting a short time period for the users session


  • 1. CSRF/XSRF? (pronounced as „sea-surf‟) It‟s BAD. How? 1
  • 2. How? Suppose you have an online bank account and you‟re already authenticated (you have already logged-in). 2
  • 3. How? Now, you clicked on link from another website, maybe from a comment. Ex. <a href=”http://bankwebsite.com/transfermoney.hmtl”>I posted photos</a> This will just look like: I posted photos 3
  • 4. How? Your bank website would not know that is not really your intention. 4
  • 5. What is it?  Attacker exploits the fact that the victim is authenticated to a website Identifying the attacker can be difficult  What can it do?   Proxy requests/commands for the attacker from the victim‟s browser  Even POSTS can be forged as GET requests in some cases  Web forms One Click Demo in module 5
  • 6. How it is exploited?   Can be very simple – Image link in email, script on a blog, simple link Attackers gets user to  Click a specially crafted link (or inject JavaScript to a site victim visits)  Execute a request (can be very simple as requesting an image url in email)  Innocently browsing a web site  Can users include hrefs or Image links to your site? Link to bad url   Ever click “view images” in an email? All browsers happily send over credentials if already logged on  If already logged in (forms auth) the cookie is sent over even for an image request 6
  • 8. CSRF – HOW IT IS EXPLOITED? DEMO – Repeatability is the key 8
  • 9. CSRF – HOW IT IS EXPLOITED? DEMO – Piggyback with some other attack like XSS 9
  • 10. CSRF – POSTs protect me  They do, don‟t they? Don‟t they? Hello?  Web Forms One Click attack  Page.IsPostBack doesn‟t always tell the truth  A button click doesn‟t always mean someone click the button 10
  • 11. How do you prevent it?  All Web Apps  Ensure GET only retrieves a resource (as per HTTP Spec)  No state is modified  POSTS/PUT/DELETE can be forged, must take additional precautions  Try to make requests unique and non-repeatable 11
  • 12. CSRF Defenses  CAPTCHA  Attacker must know CAPTCHA answer  Assuming a secure implementation  Re-Authentication  Password Based ○ Attacker must know victims password ○ If password is known, then game over already!  One-Time Token ○ Attacker must know current token ○ Very strong defense!  Unique Request Tokens  Attacker must know unique request token for particular victim for particular session  Assumes token is cryptographically secure and not disclosed. ○ /accounts?auth=687965fdfaew87agrde … 12
  • 13. Web Forms – CSRF Prevention DEMO 13