Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Sreejith S
MCA
Amrita School of Engineering
Email: sreejiths.sasikumar@gmail.com
Agenda
• Why CSRF is interesting?
• Refresher on HTML forms
• Anatomy of CSRF attack
• Obstacles for attacker
• Existing C...
Cookie: SessionID=523FA4cd2E
Existing CSRF defenses
• Secret Validation token
• We use a validation token to determine whether the request came from
an...
• Where the Secret validation token fails
• Many websites and CSRF frameworks fail to implement secret token
defense corre...
• The Referer Header
• When the browser issues an HTTP request, it includes a referer header that
indicates which URL init...
• Privacy Issues with Referer header
• The referer contains senstive information that impinges on
the privacy
• The refere...
• Referer header Implementation
Lenient Referer Validation
• The site blocks request whose referer header has incorrect
va...
• Referer header Implementation
Strict Referer Validation
• The site blocks the request whose referer header has
incorrect...
• Custom HTTP Headers
• Browsers prevent sites from sending custom HTTP headers
to another site but allow sites to send cu...
Thank You 
Csrf final
Csrf final
Csrf final
Csrf final
Upcoming SlideShare
Loading in …5
×

Csrf final

327 views

Published on

A brief overview of Cross site request forgery(CSRF) attack

Published in: Education
  • Be the first to comment

  • Be the first to like this

Csrf final

  1. 1. Sreejith S MCA Amrita School of Engineering Email: sreejiths.sasikumar@gmail.com
  2. 2. Agenda • Why CSRF is interesting? • Refresher on HTML forms • Anatomy of CSRF attack • Obstacles for attacker • Existing CSRF defenses
  3. 3. Cookie: SessionID=523FA4cd2E
  4. 4. Existing CSRF defenses • Secret Validation token • We use a validation token to determine whether the request came from an authorized source. • Validation token must be hard to guess by the attacker • If the request is missing a validation token or the token does not match the expected value the server should reject the request.
  5. 5. • Where the Secret validation token fails • Many websites and CSRF frameworks fail to implement secret token defense correctly. • One common mistake is to leak the CSRF token during cross site request. • Eg. If the honest site appends the CSRF token to the hyperlinks to another website then that website gains the ability to forge cross-site requests against the honest site.
  6. 6. • The Referer Header • When the browser issues an HTTP request, it includes a referer header that indicates which URL initiated the request. • This information in the Referer header could be used to distinguish between same site request and cross site request. Referer: http://www.facebook.com/ Referer: http://www.attacker.com/evil.html Referer:   ?
  7. 7. • Privacy Issues with Referer header • The referer contains senstive information that impinges on the privacy • The referer header reveals contents of the search query that lead to visit a website. • Some organizations are concerned that confidential information about their corporate intranet might leak to external websites via Referer header
  8. 8. • Referer header Implementation Lenient Referer Validation • The site blocks request whose referer header has incorrect value • If the request lacks the header then the site accepts the request. • Disadvantage is that the attacker can cause the web browser to suppress the referer header. • Eg. Request issued from ftp and data URLs do not carry Referer headers.
  9. 9. • Referer header Implementation Strict Referer Validation • The site blocks the request whose referer header has incorrect value and also blocks request that lack a referer header. • Disadvantage is that some browsers and network configurations suppress referer header for legitimate requests.
  10. 10. • Custom HTTP Headers • Browsers prevent sites from sending custom HTTP headers to another site but allow sites to send custom HTTP headers to themselves. • Cookie value is not actually required to prevent CSRF attacks, the mere presence of the header is sufficient. • To use this scheme as a CSRF Defense, a site must issue all state modifying requests using XMLHttpRequest, attach the header and reject all requests that do not accompany the header .
  11. 11. Thank You 

×