The document discusses cross-site request forgery (CSRF), explaining how it exploits the behavior of browsers sending cookies with HTTP requests, which can lead to unauthorized actions on behalf of users. It highlights the decline of CSRFs in the OWASP Top 10 due to increased awareness and implementation of anti-CSRF tokens, while also providing real-world examples of vulnerabilities in popular applications. The text emphasizes the importance of addressing CSRF vulnerabilities in web application security.

1. Make
CSRF
Great
Again Z i y a h a n A l b e n i z

2. ziyahan@netsparker: $ whoami
● Security Researcher
● Klavye Delikanlıları Web Security Podcast
(https://www.klavyedelikanlilari.com - @delikanliklavye)
● Email: ziyahan@netsparker.com
● Twitter: ziyaxanalbeniz
● PGP : 0xA6A34AFD / https://keybase.io/ziyahan

3. What is CrossSiteRequestForgery?
Which one is yours?
● XSRF
● Session Riding
● Bad Deputy
● One-Click Attack
● ...
● ..
● .
http://www.theblindelephant.com/uploads/elephant_pic.jpg

4. What is CrossSiteRequestForgery?
Which one is yours?
● XSRF
● Session Riding
● Bad Deputy
● One-Click Attack
● ...
● ..
● .
Most importantly,
it is really a sleeping giant
http://www.theblindelephant.com/uploads/elephant_pic.jpg

5. Let me state again…
HTTP is a stateless protocol.
How Does It Work?

6. Stateless? What?
What allows the server to tell users apart?
How Does It Work?

7. What helps to tell users apart? Cookie!
L. Montulli, “Persistent Client State HTTP Cookies” (1994), http://curl.haxx.se/rfc/cookie_spec.html

8. What helps to tell users apart? Cookie!
L. Montulli, “Persistent Client State HTTP Cookies” (1994), http://curl.haxx.se/rfc/cookie_spec.html
"The browser sends a cookie that
was set by some site A along
with every further request to site A."
http://www.securenet.de/papers/Session_Riding.pdf

9. What helps to tell users apart? Cookie!
Every request? What did you say?

10. Yes, along with every request!
<img>
<form> GET/POST
<script>
<link>
<iframe>

11. Cookie Misuse Can Lead to Cross-site Request Forgery
"While carrying out this process, it
checks to see whether the properties
and flags of the cookies (domain, path,
secure), match the website's data
which has been requested. If they
match, the browser sends the relevant
cookies along with the request."

12. Cookie Misuse Can Lead to Cross-site Request Forgery
This behavior is also repeated in the
same way for requests made by third
parties through the browser. The
critical point from a web application
security perspective is that when you
visit website A, all cookies kept in the
browser for site B will be added to the
request initiated toward site B by site
A. So, a session that belongs to B on
the browser can be used and even
abused in this way.

13. An issue so pervasive, because web is designed to function like that!
http://blog.jeremiahgrossman.com/2006/09/csrf-sleeping-giant.html

14. Enough said! Here what CSRF is!
Nasreddin Hodja's tomb
http://www.istasyongazetesi.com/files/uploads/kilit5.JPG

15. CSRF has been started losing his popularity!
"CSRF attacks were at number 5 in the OWASP Top 10 list published in 2010, but they declined to number 8
in the OWASP Top Ten in 2013. People suggested that the reason for this was increased awareness of
CSRF and the common use of Anti-CSRF tokens by frameworks."

16. Hey! What's going on there?
(Technical Impact of CSRF in 2010 and 2013)

17. Oh! I am not alone!

18. Oh! I am not alone!

19. The truth is starting to emerge
“There are a number of variations on this approach, each fraught with
pitfalls, and even sites that implement the technique correctly often
overlook their login requests because login request lack a session to
which to bind the token. “ (Robust Defenses for Cross-Site Request
Forgery,
http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf)

20. Real World Stories
Before 2013, before the
issue was fixed,
you were able to see the
whole search history of
the victim by exploiting a
login CSRF.

21. Why?
Many companies
exclude CSRF,
especially Login/Logout
CSRF in their bounty
programs.
We detected some
issues in important
systems in near time.
Nasreddin Hodja

22. Why?
Many companies
exclude CSRF,
especially Login/Logout
CSRF in their bounty
programs.
We detected some
issues in important
systems in near time.
Dropbox Bug Bounty Summary @ Hackerone

23. CSRF Vulnerability in Yandex Browser Allows Attackers to Steal Victim's
Browsing Data
The CSRF vulnerability was found in the login screen of the
Yandex Browser that is used by users to login to their
Yandex account to synchronize their browser data (such as
passwords, bookmarks, form values, history) between
different devices they own, such as smartphones, tablets and
PCs. The Google Chrome browser has the same feature.
Nasreddin Hodja

24. CSRF Vulnerability in Yandex Browser Allows Attackers to Steal Victim's
Browsing Data

25. CSRF Vulnerability in Yandex Browser Allows Attackers to Steal Victim's
Browsing Data
Researcher awarded due to his work by 3.183 USD :)

26. Login CSRF in Grammarly - Learn from other's mistakes :)
"Whether you’re writing emails, essays, or social media
posts, Grammarly has your back.(..)Grammarly makes sure
everything you type is easy to read, effective, and
mistake-free."
From company`s site.

27. Login CSRF in Grammarly - Learn from else's mistakes :)

28. Login CSRF in Grammarly - Learn from else's mistakes :)

29. History Pollution (SWAT Team Raid Your Home Suddenly)
http://www.alternet.org/civil-liberties/nsa-action-writers-house-raided-based-innocent-google-search

30. History Pollution - Hey Guest, I know Who You Are!
<img src="http://www.A_SITE_I_AM_MEMBER_OF.com/in/ziyahanalbeniz"/>

31. History Pollution - What You See is Actually I Want you to see
<img src="http://www.A_SITE_YOU_BUY_SOMETHING.com/phones/yokia_603"/>
You'll see it your Most Recent Viewed Iitems :)

32. Login With Functions - Login Once, Get Hacked Everywhere
Even, without being aware

33. Nasreddin Hodja
Yes, we can!

34. For more understanding on Logout CSRF:
http://tinyurl.com/whatiscsrf :)

35. Nasreddin Hodja
Questions?

36. Nasreddin Hodja
Thank you!