Overview: Are you web developer / Tester / Architect, why don’t you stop sucking you web app against CSRF attacks? Mission :- This session is on detecting and exploiting CSRF / XSRF issues. At the end of this session, the participant will be able manually identify CSRF / XSRF vulnerabilities in web applications. URL :- http://weekendtesting.com/archives/3843 Agenda :- Introduction What is Cross Side Request Forgery CSRF check & How to test (Iron OWASP , CSRF Finders) Prevention of CSRF attacks Q & A Prerequisite knowledge: Basic Technical knowledge about web application
2. WHO AM I
I' M new Generation Exploratory Testy
Researcher & Reader in free time
Spekear at
Facilitator at Weekend Testing
Crowd Tester (AKA. Bug bounty Hunter)
Reported Security Vulnerabilities for 50+ unique customers all over the world
inlcluding Apple, yahoo, Outlook, adobe & etc.
Proficient at Functional, Usability , Accessibility & Compatibility Testing
Love to develop nasty code & Hack it :)
Works as Quality Analyst at
AKA. Bug Wrangler
Null & OWASP Co mmunity
passbrains.com
4. DISCLAIMER
This Presentation is intended for educational purposes only and I cannot be held liable for
any kind of damages done whatsoever to your machine, or other damages.
Please - Don't try this attack on any others system without having context knowledge or
permission, this may harm to someone directly or indirectly.
Feel free to use this presentation for practice or education purpose.
^ I hope - You gotcha ^
5. SOCIAL MEDIA FEED
Hashtag for this session
# , #BitzNightTesting CSRF
: Twitter handle for feedback :
@ @weekendtesting Abhinav_Sejpal
G+
http://goo.gl/kMAOs1
6. AGENDA
Introducation
Set up Pen Testing LAB
Overview of HTTP Request
Intercept the HTTP Request using Proxy (MITM)
Understanding cross site attacks
Testing for a cross site request forgery risk
Attack Anti-forgery Attacks
Common Defences Against CSRF
7. SETUP THE TEST LAB
Install XAMPP
for:Acronym
X (to be read as "cross", meaning )cross-platform
Apache HTTP Server
MySQL
PHP
Perl
8. Why MySQL? is Girlfriend of PHP
TARGETED APPLICATION
Client Side language : HTML & Javascript
Server side Language: PHP
DB : MYSQL
Why PHP ? - Any answer Here?
MySQL <3
11. 2013 Server-side Programming Language of the Year
Don't Mind Power of PHP > Facebook & yahoo
http://w3techs.com/blog/entry/web_technologies_of_the_year
12. It's a free, open source web application provided to allow
security enthusiast to pen-test and hack a web application.
V.2X developed by aka
PLAY GROUND
MUTILLIDAE
Jeremy Druin webpwnized.
22. CSRF AKA. XSRF
THE ATTACKER EXPLOITS THE TRUST A WEBSITE
HAS AGAINST A USER’S BROWSER.
Permission fakingstealing
Disruption of the normal sequence of the site
25. Yes it's not dangerous but annoying
UNDERSTANDING
Logout page has a simple HTTP GET that required no
confirmation
Every user who visited that page would immediately be
logged out - that's CSRF in action.
26. SO WHAT DO YOU THINK,
IT'S ALL ABOUT CLICK ?
ssh, No!!
Would you like to write CSRF exploit without click ??
27. <img src=
>
CSRF GET Request with Image Tag
<html>
<title> CSRF Demo 1 </title>
http://127.0.0.1/xampp/mutillidae/index.php?
do=logout
</html>
31. DOES IT EASY TO CREATE CSRF HTTP REQUEST ?
No - you should try out
IronWASP
CSRF PoC Generator - Tool for automatically generating
exploits for CSRF vulnerabilities
* One Click POC *
* Hybrid automation *
thanks a ton to Lava & Jayesh