Surya Subhash, profile picture
Uploaded bySurya Subhash
PPTX, PDF3,629 views

Introduction to CSRF Attacks & Defense

The document provides an overview of Cross-Site Request Forgery (CSRF) attacks, including their definition, impact, and testing methods. It outlines various defenses against CSRF and common misconceptions regarding their effectiveness, as well as techniques for bypassing these defenses. Additionally, it highlights the vulnerabilities of home DSL routers to CSRF exploits and mentions references for further reading.

Embed presentation

Downloaded 139 times
Introduction to CSRF Attacks &defenses.
Who Am I ? I’m P.B.Surya.Subhash, a 17 Year old Coder, Hacker and a student. Certified by Microsoft and was offered a job by Yahoo, Dell , Slideshare and a couple of other MNC’s Helped USA.Gov, Nic.in, NCSL, Netherlands. pbssubhash@gmail.com@pbssubhashFb.me/pbssubhashLinkedin.com/in/pbssubhash
And many more…
• What’s CSRF ? • Impact of CSRF • How to test websites for CSRF ? • Real time attack scenario of CSRF. • Defenses against CSRF • How to Bypass those defenses ? • Using CSRF to compromise DSL Routers • Conclusion  Agenda
What’s this CSRF ? •CrosssiterequestforgeryabbreviatedasCSRFandalsoknownasSession Riding. •Forcesanendusertoexecuteunwantedactionsonawebapplicationin whichhe/sheiscurrentlyauthenticated.
Impact  A successful CSRF exploit can compromise end user data and operation in case of normal user.  If the targeted end user is the administrator account, this can compromise the entire web application.
That’s all ? • Anythinganauthenticatedusercando • Norestrictionfromsameoriginpolicy,except… • Attackerscannotreadresponsesfromotherorigins • Limitedonwhatcanbedonewithdata • Severeimpactonaccountability-Logentriesreflecttheactionsavictimwastrickedinto executing
How to find these ?So lets break it ! (root@null: rm –rf /root/earth/security/)
Let’s Exploit it !
Killer Combination ! • Persistent Script Injection + CSRF = PWN3D
defenses  The simplest one is to validate the Referrer header in the HTTP Request preventing the request from unknown sources.  The most popular one remains the token.  Custom HTTP Header like X-Requested-By: My Site.com – Not so popular…  Same Orgin Policy.  Re-authentication  Captcha
Common Mistakes :- • Not validating the token .. • Not applying captcha properly. Example :- http://www.youtube.com/watch?v=zl0ARKQhoLA
Misconceptions – Defenses That Don’t Work  Only accept POST  Stops simple link-based attacks (IMG, frames, etc.)  But hidden POST requests can be created with frames, scripts, etc…  Referrer checking  Some users prohibit referrers, so you can’t just require referrer headers  Techniques to selectively create HTTP request without referrers exist  Requiring multi-step transactions  CSRF attack can perform each step in order None of these approaches will sufficiently protect against CSRF!
Intro on How to Bypass those defenses ? • Clickjacking • Bypassing SOP • Insecure CrossDomain.XML • Openly available exploits • Bypassing the captcha • Checking Token Validation • Checking header Validation • Converting POST based requests to GET based requests.
CSRF to compromise DSL Routers ? • Home DSL routers aren't secure from specialized CSRF attacks. Once the DSL router is owned, attackers can have their way with the internal network. Initiate a connection to the new DSL router. Turn on remote management. Add a password to the Admin user account.
Demo Time
References :- • https://en.wikipedia.org/wiki/Cross-site_request_forgery • https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) • https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ • https://projects.webappsec.org/Cross-Site-Request-Forgery • https://www.owasp.org/index.php/Cross- Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
Anything to ask ?
Bye ! Please drop your suggestions at @pbssubhash (or) pbssubhash@gmail.com Thank You!

More Related Content

PPT
Cross Site Request Forgery
byTony Bibbs
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPT
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
PPTX
Cross site scripting
bykinish kumar
 
PPTX
Cross Site Scripting Defense Presentation
byIkhade Maro Igbape
 
PPT
SQL Injection
byAdhoura Academy
 
PPTX
Xss attack
byManjushree Mashal
 
Cross Site Request Forgery
byTony Bibbs
 
A8 cross site request forgery (csrf) it 6873 presentation
byAlbena Asenova-Belal
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Cross Site Request Forgery Vulnerabilities
byMarco Morana
 
Cross site scripting
bykinish kumar
 
Cross Site Scripting Defense Presentation
byIkhade Maro Igbape
 
SQL Injection
byAdhoura Academy
 
Xss attack
byManjushree Mashal
 

What's hot

PDF
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
PPTX
SSRF For Bug Bounties
byOWASP Nagpur
 
PPTX
Cross-Site Scripting (XSS)
byDaniel Tumser
 
PDF
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PDF
VULNERABILITY ( CYBER SECURITY )
byKashyap Mandaliya
 
PPTX
Web application vulnerability assessment
byRavikumar Paghdal
 
PPTX
Bug Bounty 101
byShahee Mirza
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PDF
Lecture #24 : Cross Site Request Forgery (CSRF)
byDr. Ramchandra Mangrulkar
 
PDF
Cross site scripting attacks and defenses
byMohammed A. Imran
 
PDF
Cross site scripting
byn|u - The Open Security Community
 
PPTX
Mobile security in Cyber Security
byGeo Marian
 
PPTX
Secure coding practices
byMohammed Danish Amber
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PPTX
Web application security
byKapil Sharma
 
PPTX
Introduction to Metasploit
byGTU
 
PDF
CSRF Basics
byn|u - The Open Security Community
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
SSRF For Bug Bounties
byOWASP Nagpur
 
Cross-Site Scripting (XSS)
byDaniel Tumser
 
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
Application Security - Your Success Depends on it
byWSO2
 
VULNERABILITY ( CYBER SECURITY )
byKashyap Mandaliya
 
Web application vulnerability assessment
byRavikumar Paghdal
 
Bug Bounty 101
byShahee Mirza
 
Attacking thru HTTP Host header
bySergey Belov
 
Lecture #24 : Cross Site Request Forgery (CSRF)
byDr. Ramchandra Mangrulkar
 
Cross site scripting attacks and defenses
byMohammed A. Imran
 
Cross site scripting
byn|u - The Open Security Community
 
Mobile security in Cyber Security
byGeo Marian
 
Secure coding practices
byMohammed Danish Amber
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
Web application security
byKapil Sharma
 
Introduction to Metasploit
byGTU
 
CSRF Basics
byn|u - The Open Security Community
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 

Viewers also liked

PPTX
Ppt on sql injection
byashish20012
 
PDF
Sql Injection Myths and Fallacies
byKarwin Software Solutions LLC
 
PPTX
Cross Site Request Forgery (CSRF) Scripting Explained
byValency Networks
 
PPT
XSS and CSRF with HTML5
byShreeraj Shah
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PPTX
Sql injection
byHemendra Kumar
 
PDF
SQL injection: Not Only AND 1=1 (updated)
byBernardo Damele A. G.
 
PPT
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
byRuss McRee
 
PDF
Understanding CSRF
byPotato
 
PDF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
byMark Stanton
 
DOCX
Pfe rapport rabiaa hind 04 06 2012
byOlaya Hoyame
 
PPTX
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
byNilesh Sapariya
 
PPT
[Php Camp]Owasp Php Top5+Csrf
byBipin Upadhyay
 
PPTX
SQL Injection
byMarios Siganos
 
PDF
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
byShreeraj Shah
 
PPTX
CSRF Attack and Its Prevention technique in ASP.NET MVC
bySuvash Shah
 
Ppt on sql injection
byashish20012
 
Sql Injection Myths and Fallacies
byKarwin Software Solutions LLC
 
Cross Site Request Forgery (CSRF) Scripting Explained
byValency Networks
 
XSS and CSRF with HTML5
byShreeraj Shah
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
Sql injection
byHemendra Kumar
 
SQL injection: Not Only AND 1=1 (updated)
byBernardo Damele A. G.
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
byRuss McRee
 
Understanding CSRF
byPotato
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
byMark Stanton
 
Pfe rapport rabiaa hind 04 06 2012
byOlaya Hoyame
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
byNilesh Sapariya
 
[Php Camp]Owasp Php Top5+Csrf
byBipin Upadhyay
 
SQL Injection
byMarios Siganos
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
byShreeraj Shah
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
bySuvash Shah
 

Similar to Introduction to CSRF Attacks & Defense

PDF
Session7-XSS & CSRF
byzakieh alizadeh
 
PDF
Protecting Your Web Applications: How to Prevent Cross-Site Request Forgery (...
bySecuodsoft
 
PDF
Make CSRF Again
byNetsparker
 
PPTX
Cross Site Request Forgery- CSRF
byMitul Babariya
 
PPTX
CSRF
byAkanksha Raikwar
 
PPT
CSRF_RSA_2008_Jeremiah_Grossman
byguestdb261a
 
PDF
XSS, LFI & CSRF vulnerabilities
byCTM360
 
PPTX
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
byTadj Youssouf
 
PPTX
Example my ppt
byTadj Youssouf
 
PPTX
Mitigating CSRF with two lines of codes
byMinhaz A V
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
DOCX
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
bySamvel Gevorgyan
 
PDF
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
byIRJET Journal
 
PDF
Oh no, was that CSRF #Ouch
byAbhinav Sejpal
 
PDF
A4 A K S H A Y B H A R D W A J
bybhardwajakshay
 
PPTX
Cyber security 2.pptx
byNotSure11
 
PDF
Web vulnerabilities
byOleksandr Kovalchuk
 
PPTX
CuSRF. OWASP AppSecUS 2014
byBarry Shteiman
 
PPT
Xssandcsrf
byPrabhanshu Saraswat
 
PPTX
CSRF_main_vid.pptx
byNishantAnand43
 
Session7-XSS & CSRF
byzakieh alizadeh
 
Protecting Your Web Applications: How to Prevent Cross-Site Request Forgery (...
bySecuodsoft
 
Make CSRF Again
byNetsparker
 
Cross Site Request Forgery- CSRF
byMitul Babariya
 
CSRF
byAkanksha Raikwar
 
CSRF_RSA_2008_Jeremiah_Grossman
byguestdb261a
 
XSS, LFI & CSRF vulnerabilities
byCTM360
 
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
byTadj Youssouf
 
Example my ppt
byTadj Youssouf
 
Mitigating CSRF with two lines of codes
byMinhaz A V
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
bySam Bowne
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
bySamvel Gevorgyan
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
byIRJET Journal
 
Oh no, was that CSRF #Ouch
byAbhinav Sejpal
 
A4 A K S H A Y B H A R D W A J
bybhardwajakshay
 
Cyber security 2.pptx
byNotSure11
 
Web vulnerabilities
byOleksandr Kovalchuk
 
CuSRF. OWASP AppSecUS 2014
byBarry Shteiman
 
Xssandcsrf
byPrabhanshu Saraswat
 
CSRF_main_vid.pptx
byNishantAnand43
 

Recently uploaded

PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PPTX
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
PDF
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PPTX
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
PDF
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
DOCX
Quercus semecarpifolia is widely recognized as a keystone species in alpine a...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
PPTX
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PDF
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
PDF
DevOps GenAI_ How Generative AI Is Changing Software Delivery.pdf
byDevseccops.ai
 
PPTX
ICT Entrepreneur Quiz for grade 7...........
bykayramos6
 
PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PDF
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
Quercus semecarpifolia is widely recognized as a keystone species in alpine a...
byMadan Bhandari university and St. Xavier's college , Maitighar
 
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
DevOps GenAI_ How Generative AI Is Changing Software Delivery.pdf
byDevseccops.ai
 
ICT Entrepreneur Quiz for grade 7...........
bykayramos6
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 

Introduction to CSRF Attacks & Defense

  • 1.
  • 2.
    Who Am I? I’m P.B.Surya.Subhash, a 17 Year old Coder, Hacker and a student. Certified by Microsoft and was offered a job by Yahoo, Dell , Slideshare and a couple of other MNC’s Helped USA.Gov, Nic.in, NCSL, Netherlands. pbssubhash@gmail.com@pbssubhashFb.me/pbssubhashLinkedin.com/in/pbssubhash
  • 3.
  • 4.
    • What’s CSRF? • Impact of CSRF • How to test websites for CSRF ? • Real time attack scenario of CSRF. • Defenses against CSRF • How to Bypass those defenses ? • Using CSRF to compromise DSL Routers • Conclusion  Agenda
  • 5.
    What’s this CSRF? •CrosssiterequestforgeryabbreviatedasCSRFandalsoknownasSession Riding. •Forcesanendusertoexecuteunwantedactionsonawebapplicationin whichhe/sheiscurrentlyauthenticated.
  • 6.
    Impact  A successfulCSRF exploit can compromise end user data and operation in case of normal user.  If the targeted end user is the administrator account, this can compromise the entire web application.
  • 7.
    That’s all ? •Anythinganauthenticatedusercando • Norestrictionfromsameoriginpolicy,except… • Attackerscannotreadresponsesfromotherorigins • Limitedonwhatcanbedonewithdata • Severeimpactonaccountability-Logentriesreflecttheactionsavictimwastrickedinto executing
  • 8.
    How to find these?So lets break it ! (root@null: rm –rf /root/earth/security/)
  • 9.
  • 10.
    Killer Combination ! •Persistent Script Injection + CSRF = PWN3D
  • 11.
    defenses  The simplestone is to validate the Referrer header in the HTTP Request preventing the request from unknown sources.  The most popular one remains the token.  Custom HTTP Header like X-Requested-By: My Site.com – Not so popular…  Same Orgin Policy.  Re-authentication  Captcha
  • 12.
    Common Mistakes :- •Not validating the token .. • Not applying captcha properly. Example :- http://www.youtube.com/watch?v=zl0ARKQhoLA
  • 13.
    Misconceptions – DefensesThat Don’t Work  Only accept POST  Stops simple link-based attacks (IMG, frames, etc.)  But hidden POST requests can be created with frames, scripts, etc…  Referrer checking  Some users prohibit referrers, so you can’t just require referrer headers  Techniques to selectively create HTTP request without referrers exist  Requiring multi-step transactions  CSRF attack can perform each step in order None of these approaches will sufficiently protect against CSRF!
  • 14.
    Intro on Howto Bypass those defenses ? • Clickjacking • Bypassing SOP • Insecure CrossDomain.XML • Openly available exploits • Bypassing the captcha • Checking Token Validation • Checking header Validation • Converting POST based requests to GET based requests.
  • 15.
    CSRF to compromiseDSL Routers ? • Home DSL routers aren't secure from specialized CSRF attacks. Once the DSL router is owned, attackers can have their way with the internal network. Initiate a connection to the new DSL router. Turn on remote management. Add a password to the Admin user account.
  • 16.
  • 17.
    References :- • https://en.wikipedia.org/wiki/Cross-site_request_forgery •https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) • https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ • https://projects.webappsec.org/Cross-Site-Request-Forgery • https://www.owasp.org/index.php/Cross- Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
  • 18.
  • 19.
    Bye ! Please dropyour suggestions at @pbssubhash (or) pbssubhash@gmail.com Thank You!