Web Application Security | Beginner Session - Cross Site Request Forgery

•Download as PPTX, PDF•

1 like•1,957 views

n|u - The Open Security Community

null Bangalore February meet

Technology

CSRF/XSRF?
(pronounced as „sea-surf‟)

It‟s BAD. How?

1

How?
Suppose you have an online bank account and
you‟re already authenticated (you have already
logged-in).

2

How?
Now, you clicked on link from another
website, maybe from a comment. Ex.

<a href=”http://bankwebsite.com/transfermoney.hmtl”>I posted photos</a>
This will just look like: I posted photos

3

How?
Your bank website would not know that is not
really your intention.

4

What is it?


Attacker exploits the fact that the victim is authenticated to
a website
Identifying the attacker can be difficult



What can it do?



 Proxy requests/commands for the attacker from the victim‟s

browser


Even POSTS can be forged as GET requests in some
cases
 Web forms One Click Demo in module

5

How it is exploited?



Can be very simple – Image link in email, script on a blog,
simple link
Attackers gets user to
 Click a specially crafted link (or inject JavaScript to a site victim visits)
 Execute a request (can be very simple as requesting an image url in email)



Innocently browsing a web site
 Can users include hrefs or Image links to your site? Link to bad url




Ever click “view images” in an email?
All browsers happily send over credentials if already
logged on
 If already logged in (forms auth) the cookie is sent over even for an

image request

6

CSRF – HOW IT IS EXPLOITED?

DEMO – Repeatability is the key

8

CSRF – HOW IT IS EXPLOITED?

DEMO – Piggyback with some other attack like XSS

9

CSRF – POSTs protect me


They do, don‟t they? Don‟t they? Hello?



Web Forms One Click attack
 Page.IsPostBack doesn‟t always tell the truth
 A button click doesn‟t always mean someone click the button

10

How do you prevent it?


All Web Apps
 Ensure GET only retrieves a resource (as per HTTP Spec)

 No state is modified
 POSTS/PUT/DELETE can be forged, must take additional

precautions
 Try to make requests unique and non-repeatable

11

CSRF Defenses


CAPTCHA
 Attacker must know CAPTCHA answer
 Assuming a secure implementation



Re-Authentication
 Password Based
○ Attacker must know victims password
○ If password is known, then game over already!

 One-Time Token
○ Attacker must know current token
○ Very strong defense!



Unique Request Tokens
 Attacker must know unique request

token for particular victim for particular session
 Assumes token is cryptographically secure and not
disclosed.
○ /accounts?auth=687965fdfaew87agrde …

12

Recently uploaded

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Architecting Cloud Native Applications

WSO2

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Mcleodganj Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Mcleodganj Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Mcleodganj Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Exploring Multimodal Embeddings with Milvus

Zilliz

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...

Architecting Cloud Native Applications

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

CNIC Information System with Pakdata Cf In Pakistan

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Understanding the FAA Part 107 License ..

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Six Myths about Ontologies: The Basics of Formal Ontology

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Artificial Intelligence Chap.5 : Uncertainty

Exploring Multimodal Embeddings with Milvus

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Platformless Horizons for Digital Adaptability

Introduction to Multilingual Retrieval Augmented Generation (RAG)

[BuildWithAI] Introduction to Gemini.pdf

AWS Community Day CPH - Three problems of Terraform

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Web Application Security | Beginner Session - Cross Site Request Forgery

1. CSRF/XSRF? (pronounced as „sea-surf‟) It‟s BAD. How? 1

2. How? Suppose you have an online bank account and you‟re already authenticated (you have already logged-in). 2

3. How? Now, you clicked on link from another website, maybe from a comment. Ex. <a href=”http://bankwebsite.com/transfermoney.hmtl”>I posted photos</a> This will just look like: I posted photos 3

4. How? Your bank website would not know that is not really your intention. 4

5. What is it?  Attacker exploits the fact that the victim is authenticated to a website Identifying the attacker can be difficult  What can it do?   Proxy requests/commands for the attacker from the victim‟s browser  Even POSTS can be forged as GET requests in some cases  Web forms One Click Demo in module 5

6. How it is exploited?   Can be very simple – Image link in email, script on a blog, simple link Attackers gets user to  Click a specially crafted link (or inject JavaScript to a site victim visits)  Execute a request (can be very simple as requesting an image url in email)  Innocently browsing a web site  Can users include hrefs or Image links to your site? Link to bad url   Ever click “view images” in an email? All browsers happily send over credentials if already logged on  If already logged in (forms auth) the cookie is sent over even for an image request 6

7. CSRF – HOW IT IS EXPLOITED? DEMO 7

8. CSRF – HOW IT IS EXPLOITED? DEMO – Repeatability is the key 8

9. CSRF – HOW IT IS EXPLOITED? DEMO – Piggyback with some other attack like XSS 9

10. CSRF – POSTs protect me  They do, don‟t they? Don‟t they? Hello?  Web Forms One Click attack  Page.IsPostBack doesn‟t always tell the truth  A button click doesn‟t always mean someone click the button 10

11. How do you prevent it?  All Web Apps  Ensure GET only retrieves a resource (as per HTTP Spec)  No state is modified  POSTS/PUT/DELETE can be forged, must take additional precautions  Try to make requests unique and non-repeatable 11

12. CSRF Defenses  CAPTCHA  Attacker must know CAPTCHA answer  Assuming a secure implementation  Re-Authentication  Password Based ○ Attacker must know victims password ○ If password is known, then game over already!  One-Time Token ○ Attacker must know current token ○ Very strong defense!  Unique Request Tokens  Attacker must know unique request token for particular victim for particular session  Assumes token is cryptographically secure and not disclosed. ○ /accounts?auth=687965fdfaew87agrde … 12

13. Web Forms – CSRF Prevention DEMO 13

Editor's Notes

General Best Practices:Setting a short time period for the users session

Web Application Security | Beginner Session - Cross Site Request Forgery

Recommended

Recommended

More Related Content

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Recently uploaded

Recently uploaded (20)

Web Application Security | Beginner Session - Cross Site Request Forgery

Editor's Notes