Your SlideShare is downloading. ×
0
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
CSRF Basics
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CSRF Basics

1,737

Published on

null Pune Chapter - August 2012 Meet

null Pune Chapter - August 2012 Meet

Published in: Education, Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,737
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
58
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Csrf / Xsrf Basics --by Jovin Lobo
  • 2. Definition :“CSRF / XSRF (Cross-Site Request Forgery) is atype of web application vulnerability that allows amalicious website to send unauthorized requeststo a vulnerable website using active sessions ofits authorized users.” --- Samvel Gevorgyan
  • 3. OWASP describes CSRF as ....CSRF is an attack that tricks the victim into loading a pagethat contains a malicious request. It is malicious in the sensethat it inherits the identity and privileges of the victim toperform an undesired function on the victims behalf likechange the victims e-mail address, home address, orpassword..etcSo basically CSRF attacks target functions that cause astate change on the server but can also be used to accesssensitive data.
  • 4. Basic Working
  • 5. DEMO
  • 6. Prevention techniques that SUCK !!!✗ Secret cookies✗ Accepting only POST requests✗ Multi-Step transactions
  • 7. Then how do we prevent it ??“Adding any unpredictable parameter to therequests should solve the problem...............What Say ??”
  • 8. Some prevention techniques that DO NOT SUCK ...✔ Challenge-Response : ➢ Re- Authentication. ➢ Implement CAPTCHAS.✔ Synchronizer Token Pattern
  • 9. Synchronizer Token PatternIts a Server-Side Solution.Concept: Establish a token on the server side that indicates a validsubmission, and give a token signature to the client thatcorresponds to that token (most likely in a hidden input field).When the client submits their form, the server validates their tokenand proceeds. It then marks the token as invalid so it may not beused again. The result is that any given form may only be usedonce and then will not work again.
  • 10. Control FlowRef: http://pg-server.csc.ncsu.edu/mediawiki/index.php/Image:Positive_flow.png
  • 11. Control flow with invalid tokensRef : http://pg-server.csc.ncsu.edu/mediawiki/index.php/Image:Negative_flow.png
  • 12. QUESTIONS ??
  • 13. References:● https://www.owasp.org/index.php/Cross-Site_Request_Forgery_ %28CSRF%29_Prevention_Cheat_Sheet● http://tournasdimitrios1.wordpress.com/2012/02/16/preventing- cross-site-request-forgeries-in-php/● http://pg- server.csc.ncsu.edu/mediawiki/index.php/CSC/ECE_517_Fall_2009 /wiki2_3_b5
  • 14. THANK YOU

×