13. Missing Function Level Access Control
Performs
some
operation
Ability
to control the
to
Missing
14. How to find?
◦ Navigation, Form action, API
◦ Escalate Privilege
◦ Server-side Authentication
& Authorization
15. How is different from IDOR?
◦ Function level
◦ Usually invokes a function
◦ For Programmers
◦ Mostly about Vertical Privilege Escalation?
◦ It’s a type of IDOR?
◦ Not all IDOR are MFLA?
16. Prevent MFLA
◦ Access Control at Server Side
◦ Don’t just hide UI
◦ Modular level authorization
18. A8 – Cross Site Request Forgery
Cross site : Outside
Request : Perform Action
Forgery : Fake
“Fake an user action outside the site”
19. How CSRF happens?
◦ GET /delete?user_id=1001
◦ POST /transact?toAccount=900123&amount=100
◦ Innocent looking page
◦ Hidden iframe – form – img – submit
◦ Success!
20. Why it works?
◦ Authenticated session exists
◦ (Stupid) Browser sends cookies by default!
◦ Server can’t verify origin of the request
21. A few facts to note
◦ Happens on someone’s site hence
◦ CSRF = XSRF
◦ Inducing User action
◦ Unknown to the User
◦ Riding on User session
22. The worst CSRF
◦ Admin site – Neglected – CSRF & SQLi
◦ Home DSL Router – Default cred – CSRF
◦ Stored Self XSS & CSRF !
23. A few non-CSRF Scenario
◦ Public action: Contact, logout
◦ Read only – No state change
24. Preventing CSRF
◦ Token - nonce
◦ URL
◦ Form hidden field
◦ HTTP Header
◦Confirm User interaction: Re-authenticate, CAPTCHA
25. Token Security
◦ Should be treated as session token
◦ Crypto random
◦ Time bound
◦ Can limit to user session, form
26. A few CSRF blunders
◦ Multi stage form process
◦ CSRF Token in Cookies
◦ Redirection
◦ Depending on HTTP Referer: Old version of flash &
meta refresh tag