n|u - The Open Security Community, profile picture
Uploaded byn|u - The Open Security Community
PDF, PPTX4,399 views

CSRF Basics

Csrf / Xsrf Basics defines CSRF as a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users. CSRF tricks the victim into loading a page that contains a malicious request, which inherits the victim's identity and privileges to perform an undesired function like changing passwords. CSRF attacks target functions that cause state changes on the server but can also access sensitive data. The synchronizer token pattern is a server-side prevention technique that establishes a token on the server to validate submissions through a corresponding token in a hidden form field, marking tokens as invalid after single use.

Embed presentation

Download as PDF, PPTX
Csrf / Xsrf Basics --by Jovin Lobo
Definition : “CSRF / XSRF (Cross-Site Request Forgery) is a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users.” --- Samvel Gevorgyan
OWASP describes CSRF as .... CSRF is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf like change the victim's e-mail address, home address, or password..etc So basically CSRF attacks target functions that cause a state change on the server but can also be used to access sensitive data.
Basic Working
DEMO
Prevention techniques that SUCK !!! ✗ Secret cookies ✗ Accepting only POST requests ✗ Multi-Step transactions
Then how do we prevent it ?? “Adding any 'unpredictable' parameter to the requests should solve the problem............... What Say ??”
Some prevention techniques that DO NOT SUCK ... ✔ Challenge-Response : ➢ Re- Authentication. ➢ Implement CAPTCHAS. ✔ Synchronizer Token Pattern
Synchronizer Token Pattern Its a Server-Side Solution. Concept: Establish a token on the server side that indicates a valid submission, and give a token signature to the client that corresponds to that token (most likely in a hidden input field). When the client submits their form, the server validates their token and proceeds. It then marks the token as invalid so it may not be used again. The result is that any given form may only be used once and then will not work again.
Control Flow Ref: http://pg-server.csc.ncsu.edu/mediawiki/index.php/Image:Positive_flow.png
Control flow with invalid tokens Ref : http://pg-server.csc.ncsu.edu/mediawiki/index.php/Image:Negative_flow.png
QUESTIONS ??
References: ● https://www.owasp.org/index.php/Cross-Site_Request_Forgery_ %28CSRF%29_Prevention_Cheat_Sheet ● http://tournasdimitrios1.wordpress.com/2012/02/16/preventing- cross-site-request-forgeries-in-php/ ● http://pg- server.csc.ncsu.edu/mediawiki/index.php/CSC/ECE_517_Fall_2009 /wiki2_3_b5
THANK YOU

More Related Content

PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PDF
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
PPTX
Password sniffing
bySRIMCA
 
PDF
Secure Session Management
byGuidePoint Security, LLC
 
PPTX
Spoofing Techniques
byRaza_Abidi
 
PPTX
Encryption techniques
byShrikantSharma86
 
PPTX
File inclusion
byAaftabKhan14
 
PPT
Ch04 Network Vulnerabilities and Attacks
byInformation Technology
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
Password sniffing
bySRIMCA
 
Secure Session Management
byGuidePoint Security, LLC
 
Spoofing Techniques
byRaza_Abidi
 
Encryption techniques
byShrikantSharma86
 
File inclusion
byAaftabKhan14
 
Ch04 Network Vulnerabilities and Attacks
byInformation Technology
 

What's hot

PPTX
Ssrf
byIlan Mindel
 
PPT
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
PPT
Cross Site Request Forgery
byTony Bibbs
 
PDF
Cross site scripting
byn|u - The Open Security Community
 
PPTX
Xss attack
byManjushree Mashal
 
PPTX
Cross Site Request Forgery (CSRF) Scripting Explained
byValency Networks
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
PPTX
Deep dive into ssrf
byn|u - The Open Security Community
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
PPTX
Introduction to CSRF Attacks & Defense
bySurya Subhash
 
PPTX
Password Cracking
bySagar Verma
 
PPTX
Cross Site Scripting Defense Presentation
byIkhade Maro Igbape
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PPT
Sql injection
byPallavi Biswas
 
PPT
XSS - Attacks & Defense
byBlueinfy Solutions
 
PDF
CORS and (in)security
byn|u - The Open Security Community
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PPTX
Cross-Site Scripting (XSS)
byDaniel Tumser
 
Ssrf
byIlan Mindel
 
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
Cross Site Request Forgery
byTony Bibbs
 
Cross site scripting
byn|u - The Open Security Community
 
Xss attack
byManjushree Mashal
 
Cross Site Request Forgery (CSRF) Scripting Explained
byValency Networks
 
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
Deep dive into ssrf
byn|u - The Open Security Community
 
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
Introduction to CSRF Attacks & Defense
bySurya Subhash
 
Password Cracking
bySagar Verma
 
Cross Site Scripting Defense Presentation
byIkhade Maro Igbape
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Sql injection
byPallavi Biswas
 
XSS - Attacks & Defense
byBlueinfy Solutions
 
CORS and (in)security
byn|u - The Open Security Community
 
OWASP Top 10 2021 What's New
byMichael Furman
 
Cross-Site Scripting (XSS)
byDaniel Tumser
 

Similar to CSRF Basics

PPTX
Cyber security 2.pptx
byNotSure11
 
PPTX
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
byNilesh Sapariya
 
PDF
Grey H@t - Cross-site Request Forgery
byChristopher Grayson
 
PDF
CSRF Attacks and its Defence using Middleware
byijtsrd
 
PPTX
Mitigating CSRF with two lines of codes
byMinhaz A V
 
PDF
Cross-site request forgery (also known as CSRF) is a web vulnerability that a...
byVarun Mithran
 
DOCX
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
bySamvel Gevorgyan
 
PPTX
CSRF
byAkanksha Raikwar
 
PDF
Protecting Your Web Applications: How to Prevent Cross-Site Request Forgery (...
bySecuodsoft
 
PDF
A4 A K S H A Y B H A R D W A J
bybhardwajakshay
 
PPTX
Cross Site Request Forgery- CSRF
byMitul Babariya
 
PPT
CSRF_RSA_2008_Jeremiah_Grossman
byguestdb261a
 
PPTX
CSRF Attack and Its Prevention technique in ASP.NET MVC
bySuvash Shah
 
PPTX
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
byOWASP Khartoum
 
PDF
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
byOWASP EEE
 
PDF
Owasp eee 2015 csrf
byAurelijus Stanislovaitis
 
PDF
Understanding CSRF
byPotato
 
PPT
Web Security Overview and Demo
byTony Bibbs
 
PPTX
JSON based CSRF
byAmit Dubey
 
PPTX
Web Hacking Series Part 5
byAditya Kamat
 
Cyber security 2.pptx
byNotSure11
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
byNilesh Sapariya
 
Grey H@t - Cross-site Request Forgery
byChristopher Grayson
 
CSRF Attacks and its Defence using Middleware
byijtsrd
 
Mitigating CSRF with two lines of codes
byMinhaz A V
 
Cross-site request forgery (also known as CSRF) is a web vulnerability that a...
byVarun Mithran
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
bySamvel Gevorgyan
 
CSRF
byAkanksha Raikwar
 
Protecting Your Web Applications: How to Prevent Cross-Site Request Forgery (...
bySecuodsoft
 
A4 A K S H A Y B H A R D W A J
bybhardwajakshay
 
Cross Site Request Forgery- CSRF
byMitul Babariya
 
CSRF_RSA_2008_Jeremiah_Grossman
byguestdb261a
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
bySuvash Shah
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
byOWASP Khartoum
 
[Lithuania] Cross-site request forgery: ways to exploit, ways to prevent
byOWASP EEE
 
Owasp eee 2015 csrf
byAurelijus Stanislovaitis
 
Understanding CSRF
byPotato
 
Web Security Overview and Demo
byTony Bibbs
 
JSON based CSRF
byAmit Dubey
 
Web Hacking Series Part 5
byAditya Kamat
 

More from n|u - The Open Security Community

PDF
Hardware security testing 101 (Null - Delhi Chapter)
byn|u - The Open Security Community
 
PDF
Osint primer
byn|u - The Open Security Community
 
PPTX
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
PPTX
Nmap basics
byn|u - The Open Security Community
 
PDF
Metasploit primary
byn|u - The Open Security Community
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PDF
Introduction to TLS 1.3
byn|u - The Open Security Community
 
PDF
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
byn|u - The Open Security Community
 
PDF
Talking About SSRF,CRLF
byn|u - The Open Security Community
 
PPTX
Building active directory lab for red teaming
byn|u - The Open Security Community
 
PPTX
Owning a company through their logs
byn|u - The Open Security Community
 
PPTX
Introduction to shodan
byn|u - The Open Security Community
 
PDF
Cloud security
byn|u - The Open Security Community
 
PDF
Detecting persistence in windows
byn|u - The Open Security Community
 
PPTX
Frida - Objection Tool Usage
byn|u - The Open Security Community
 
PDF
OSQuery - Monitoring System Process
byn|u - The Open Security Community
 
PDF
DevSecOps Jenkins Pipeline -Security
byn|u - The Open Security Community
 
PDF
Extensible markup language attacks
byn|u - The Open Security Community
 
PPTX
Linux for hackers
byn|u - The Open Security Community
 
PDF
Android Pentesting
byn|u - The Open Security Community
 
Hardware security testing 101 (Null - Delhi Chapter)
byn|u - The Open Security Community
 
Osint primer
byn|u - The Open Security Community
 
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
Nmap basics
byn|u - The Open Security Community
 
Metasploit primary
byn|u - The Open Security Community
 
Api security-testing
byn|u - The Open Security Community
 
Introduction to TLS 1.3
byn|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
byn|u - The Open Security Community
 
Talking About SSRF,CRLF
byn|u - The Open Security Community
 
Building active directory lab for red teaming
byn|u - The Open Security Community
 
Owning a company through their logs
byn|u - The Open Security Community
 
Introduction to shodan
byn|u - The Open Security Community
 
Cloud security
byn|u - The Open Security Community
 
Detecting persistence in windows
byn|u - The Open Security Community
 
Frida - Objection Tool Usage
byn|u - The Open Security Community
 
OSQuery - Monitoring System Process
byn|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
byn|u - The Open Security Community
 
Extensible markup language attacks
byn|u - The Open Security Community
 
Linux for hackers
byn|u - The Open Security Community
 
Android Pentesting
byn|u - The Open Security Community
 

Recently uploaded

PPTX
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
PPTX
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
PPTX
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PPTX
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
PDF
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
PDF
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
PPTX
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
PPTX
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PPTX
Planning Assessment for Outcome-based Education
byAdri Jovin
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PPTX
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
PPTX
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
PDF
Analyzing the data of your initial survey
byThelma Villaflores
 
PDF
The voice of the rain poem class 11th.pdf
byReeta Baral
 
PDF
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
PPTX
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
PPTX
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
PPTX
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PARENTAL ROUTES OF DRUGS ADMINISTRATION .pptx
byAneetaSharma15
 
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
Partial Correlation - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂ r₁₂, r₁₃ and r₂₃
bySundar B N
 
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
Planning Assessment for Outcome-based Education
byAdri Jovin
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
Analyzing the data of your initial survey
byThelma Villaflores
 
The voice of the rain poem class 11th.pdf
byReeta Baral
 
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 

CSRF Basics

  • 1.
    Csrf / XsrfBasics --by Jovin Lobo
  • 2.
    Definition : “CSRF /XSRF (Cross-Site Request Forgery) is a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users.” --- Samvel Gevorgyan
  • 3.
    OWASP describes CSRFas .... CSRF is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf like change the victim's e-mail address, home address, or password..etc So basically CSRF attacks target functions that cause a state change on the server but can also be used to access sensitive data.
  • 4.
  • 5.
  • 6.
    Prevention techniques thatSUCK !!! ✗ Secret cookies ✗ Accepting only POST requests ✗ Multi-Step transactions
  • 7.
    Then how dowe prevent it ?? “Adding any 'unpredictable' parameter to the requests should solve the problem............... What Say ??”
  • 8.
    Some prevention techniquesthat DO NOT SUCK ... ✔ Challenge-Response : ➢ Re- Authentication. ➢ Implement CAPTCHAS. ✔ Synchronizer Token Pattern
  • 9.
    Synchronizer Token Pattern Itsa Server-Side Solution. Concept: Establish a token on the server side that indicates a valid submission, and give a token signature to the client that corresponds to that token (most likely in a hidden input field). When the client submits their form, the server validates their token and proceeds. It then marks the token as invalid so it may not be used again. The result is that any given form may only be used once and then will not work again.
  • 10.
  • 11.
    Control flow withinvalid tokens Ref : http://pg-server.csc.ncsu.edu/mediawiki/index.php/Image:Negative_flow.png
  • 12.
  • 13.
    References: ● https://www.owasp.org/index.php/Cross-Site_Request_Forgery_ %28CSRF%29_Prevention_Cheat_Sheet ● http://tournasdimitrios1.wordpress.com/2012/02/16/preventing- cross-site-request-forgeries-in-php/ ● http://pg- server.csc.ncsu.edu/mediawiki/index.php/CSC/ECE_517_Fall_2009 /wiki2_3_b5
  • 14.