Published on

Application security, https, web security, sniffing, cryptography, owasp, vulnerability, threat, exploit, webgoat, samurai WTF, webscarab, w3af, zed proxy, acunetix, burpsuite, secure authentication, parameter modification, sql injection, session ID prediction, session management, cross site scripting, reflected xss, stored xss, application security proxy, xst, csrf

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. SEA SURFING HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE…Dilan Warnakulasooriya Asanka FernandopulleInformation Security Engineer Senior Software Engineer99X Technology 99X Technology
  2. 2. What is it? Cross Site Request Forgery – Sea Surrrrrfff Attacker exploits the fact that the victim is authenticated to a website Identifying the attacker can be difficult What can it do?  Proxy requests/commands for the attacker from the victim’s browser Even POSTS can be forged as GET requests in some cases  Web forms One Click Demo in moduleJanuary 1, 2013 99X Technology(c) 2
  3. 3. How it is exploited? Can be very simple – Image link in email, script on a blog, simple link Attackers gets user to  Click a specially crafted link (or inject JavaScript to a site victim visits)  Execute a request (can be very simple as requesting an image url in email) Innocently browsing a web site  Can users include hrefs or Image links to your site? Link to bad url Ever click “view images” in an email? All browsers happily send over credentials if already logged on  If already logged in (forms auth) the cookie is sent over even for an image request  Some are invisible! IE default settingJanuary 1, 2013 99X Technology(c) 3
  4. 4. CSRF – HOW IT IS EXPLOITED?DEMOJanuary 1, 2013 99X Technology(c) 4
  5. 5. CSRF – HOW IT IS EXPLOITED?DEMO – Repeatability is the keyJanuary 1, 2013 99X Technology(c) 5
  6. 6. CSRF – HOW IT IS EXPLOITED?DEMO – Piggyback with some other attack like XSSJanuary 1, 2013 99X Technology(c) 6
  7. 7. CSRF – POSTs protect me They do, don’t they? Don’t they? Hello? MVC CSRF via XSS Web Forms One Click attack  Page.IsPostBack doesn’t always tell the truth  A button click doesn’t always mean someone click the buttonJanuary 1, 2013 99X Technology(c) 7
  8. 8. How do you prevent it? All Web Apps  Ensure GET only retrieves a resource (as per HTTP Spec)  No state is modified  POSTS/PUT/DELETE can be forged, must take additional precautions  Try to make requests unique and non-repeatable Web forms specific  ViewStateUserKey = Session.SessionId  ViewState then acts as a form token  Must protect the Session Ids(Using Encryption, Hashing)  Pages inherit from the base web page  SSL to prevent sniffing of ViewState & SessionId MVC Specific  Anti-Forgery token uses form value AND cookie value  SSL to prevent from sniffing Anti-Forgery tokenJanuary 1, 2013 99X Technology(c) 8
  9. 9. Web Forms – CSRF PreventionDEMOJanuary 1, 2013 99X Technology(c) 9
  10. 10. MVC – CSRF PreventionDEMOJanuary 1, 2013 99X Technology(c) 10