Presentation is loading. Please wait.

Presentation is loading. Please wait.

Riding Someone Else’s Wave with CSRF

Published byIsabella Lambert Modified over 6 years ago

Similar presentations

Presentation on theme: "Riding Someone Else’s Wave with CSRF"— Presentation transcript:

1 Riding Someone Else’s Wave with CSRF
Sam Shute

2 Overview What is CSRF What can we use CSRF for Where can we find CSRF
How can we defend against CSRF

3 What is CSRF - Why should I care
CSRF, Sea-Surf, XSRF, one-click attacks, session riding. All mean Cross-Site Request Forgery. Sending requests from someone else’s browser, so their browser adds their cookies. Recently removed from the OWASP Top10

4 What is CSRF – Real Life Examples
Penetration test on Friday 80% of our penetration tests uTorrent malware download Gmail contact list theft

5 What is CSRF - Flow User visits our malicious/infected site
The users browser loads the content for our site, including our CSRF attack The users browser sends the request with their cookies

6 What is CSRF - Example Antonio requests a site we’ve infected, DogMemes.com Antonio’s browser loads the infected page, including our CSRF attack When it comes across our CSRF his browser makes a request to AntoniosBank.com with his cookie, telling his bank to put $10,000 into our account.

7 What is CSRF - Example

8

9 Same-Origin Policy Same-Origin = Same Domain
Blocks background requests that come from a different domain. Modern Browsers only

10 Demo

11 CSRF Attack 1: Making a Post
Simple HTML form Executed through a phishing attack

12 CSRF Attack 1-2: Making a Post

13 CSRF Attack 2: Password Change
Background Ajax request Executed through an XSS injection

14 CSRF Attack 3: Privilege Escalation
Background Ajax request Executed through an XSS injection

15 What can we use CSRF for Making posts Changing passwords
Privilege escalation Creating accounts Transferring bank funds

16 Where can we find CSRF Any request that does not pass a CSRF token is probably vulnerable. Looking at forms and ajax requests are always a good place to start.

17 Defending Yourself against CSRF
Logging out when finished with an application Running a script blocker Updating

18 What doesn’t work to defend against CSRF
HTTPS Using only POST requests Secret cookie values Relying on browser-based protections

19 What does work against CSRF
CSRF Tokens Must be unique per user, preferably unique per action. They must be implemented, but more importantly, they must be validated. Check your framework Content-Security-Policy Doesn’t actually stop CSRF. But by declaring a strict CSP you can reduce the attack surface for XSS.

20 What does work against CSRF – CSRF Tokens

21 What does work against CSRF – CSRF Tokens

22 What does work against CSRF – CSRF Tokens

23 Summary Very easy to exploit Very easy to defend against

24 Questions?

Download ppt "Riding Someone Else’s Wave with CSRF"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Presented by Paul Gilzow Web Communications University of Missouri #hew08xss.

Presented by Paul Gilzow Web Communications University of Missouri #hew08xss.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.

Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Similar presentations

Ads by Google