AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery

Introduction { “Name” : “Danny Chrastil”, “Title” : “Senior Security Consultant”, “Company” : “HP Fortify”, “Hobbies” : [ { “hobby” : “Python Scripting Junkie” }, { “hobby” : “OpenSource Intelligence Advocate” }, { “hobby” : “BeeKeeping” } ] }

What is CSRF?

CSRF Misfortunes Misunderstood by many Testers Difficult for Developers Often incorrectly defended Sounds like fun! … eh? What is CSRF?

“Cross-site Request Forgery is a vulnerability in a website that allows attackers to force victims to perform security-sensitive actions on the Internet without their knowledge.” How do we define CSRF? - Daniel Miessler

An Example CSRF Evil Site Evil Request Normal Request / Response Normal Request Evil Response

HTTP is a session-less protocol Applications use cookies Cookies sent with every request All cookies are sent for the domain What makes CSRF possible? *** Requests come from the USER! ***

An Example CSRF Evil Site Evil Request Normal Request / Response Normal Request Evil Response Cookie: sessionid=dIG4nCMP7Ffq4MhmbQXHZrCY1

Force the user to logout CSRF Exercise #1

GET Requests – POST Requests – Hidden HTML form Other – Javascript / AJAX Calls Other Attack Vectors

Create an Admin user CSRF Exercise #2

Right way – CSRF Token outside HTML headers – Unique to each session / request – Double submit cookies Wrong way – CSRF Token inside HTML headers – Multiple step requests – POST only requests Defenses

Wrap it up! – CSRF requests come from the USER – Check all sensitive request for CSRF – Are defenses setup properly? Conclusion