CSRF Basics

3,011 views

Published on

null Pune Chapter - August 2012 Meet

Published in: Education, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,011
On SlideShare
0
From Embeds
0
Number of Embeds
595
Actions
Shares
0
Downloads
121
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

CSRF Basics

  1. 1. Csrf / Xsrf Basics --by Jovin Lobo
  2. 2. Definition :“CSRF / XSRF (Cross-Site Request Forgery) is atype of web application vulnerability that allows amalicious website to send unauthorized requeststo a vulnerable website using active sessions ofits authorized users.” --- Samvel Gevorgyan
  3. 3. OWASP describes CSRF as ....CSRF is an attack that tricks the victim into loading a pagethat contains a malicious request. It is malicious in the sensethat it inherits the identity and privileges of the victim toperform an undesired function on the victims behalf likechange the victims e-mail address, home address, orpassword..etcSo basically CSRF attacks target functions that cause astate change on the server but can also be used to accesssensitive data.
  4. 4. Basic Working
  5. 5. DEMO
  6. 6. Prevention techniques that SUCK !!!✗ Secret cookies✗ Accepting only POST requests✗ Multi-Step transactions
  7. 7. Then how do we prevent it ??“Adding any unpredictable parameter to therequests should solve the problem...............What Say ??”
  8. 8. Some prevention techniques that DO NOT SUCK ...✔ Challenge-Response : ➢ Re- Authentication. ➢ Implement CAPTCHAS.✔ Synchronizer Token Pattern
  9. 9. Synchronizer Token PatternIts a Server-Side Solution.Concept: Establish a token on the server side that indicates a validsubmission, and give a token signature to the client thatcorresponds to that token (most likely in a hidden input field).When the client submits their form, the server validates their tokenand proceeds. It then marks the token as invalid so it may not beused again. The result is that any given form may only be usedonce and then will not work again.
  10. 10. Control FlowRef: http://pg-server.csc.ncsu.edu/mediawiki/index.php/Image:Positive_flow.png
  11. 11. Control flow with invalid tokensRef : http://pg-server.csc.ncsu.edu/mediawiki/index.php/Image:Negative_flow.png
  12. 12. QUESTIONS ??
  13. 13. References:● https://www.owasp.org/index.php/Cross-Site_Request_Forgery_ %28CSRF%29_Prevention_Cheat_Sheet● http://tournasdimitrios1.wordpress.com/2012/02/16/preventing- cross-site-request-forgeries-in-php/● http://pg- server.csc.ncsu.edu/mediawiki/index.php/CSC/ECE_517_Fall_2009 /wiki2_3_b5
  14. 14. THANK YOU

×