Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Published bySilvia Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University"— Presentation transcript:

1 Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University http://adamdoupe.com

2 Adam Doupé, Security and Vulnerability Analysis HTML Review img Example

3 Adam Doupé, Security and Vulnerability Analysis

4

5

6

7 How is the HTTP request created? img Example

8 Adam Doupé, Security and Vulnerability Analysis

9

10

11 HTML Forms Review http://example.com/grades/submit?student=Adam+D oupé&class=cse+591&grade=A%2B&submit=Submit

12 Adam Doupé, Security and Vulnerability Analysis HTML Links img Example Click me for a free iPhone 6!

13 Adam Doupé, Security and Vulnerability Analysis

14

15 From the Web Application's Perspective Two requests from http://example.com/grades/submit –One from the form we showed the user –One from the link the user was tricked on clicking Two different intentions from the users' perspective –One the user wanted to submit the form (take the action) –One the user was just clicking a link Both requests look identical to the application!

16 Adam Doupé, Security and Vulnerability Analysis Even Worse Even Worse

17 Adam Doupé, Security and Vulnerability Analysis Even Worse As we have seen, our browser will automatically make the request to example.com when it encounters an img tag So we just need to get the user to visit our site (or otherwise load an img tag that we control the src )

18 Adam Doupé, Security and Vulnerability Analysis POST to the Rescue POST /grades/submit HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 68 student=Adam+Doup%C3%A9&class=cse+591&grade=A%2B&submit=Submit+Query

19 Adam Doupé, Security and Vulnerability Analysis POST to the Rescue? Attacker HTMLFormElement.prototype.submit.call(document.getElementById("csrf"));

20 Adam Doupé, Security and Vulnerability Analysis

21

22 Cross-Site Request Forgery An attacker can force your browser to make a request to the web application If there is not guarantee that the user intended to make the request Cross-Site Request Forgery is possible CSRF or XSRF

23 Adam Doupé, Security and Vulnerability Analysis CSRF Countermeasures Server-side code must generate a (random and unguessable) nonce, and that nonce must be included in very sensitive (state-changing) request

24 Adam Doupé, Security and Vulnerability Analysis Summary CSRF is subtle but critical vulnerability Using cookies as a session is not enough, also need a nonce for state-changing requests

Download ppt "Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
State of Connecticut Department of Information Technology Single Sign On and The Identity Vault Presented by Edward Wilson.

State of Connecticut Department of Information Technology Single Sign On and The Identity Vault Presented by Edward Wilson.
Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.

1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
CS320 Web and Internet Programming Handling HTTP Requests Chengyu Sun California State University, Los Angeles.

CS320 Web and Internet Programming Handling HTTP Requests Chengyu Sun California State University, Los Angeles.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
Servlets and JSP Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.

Servlets and JSP Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.
1 Web Search Interfaces. 2 Web Search Interface Web search engines of course need a web-based interface. Search page must accept a query string and submit.

1 Web Search Interfaces. 2 Web Search Interface Web search engines of course need a web-based interface. Search page must accept a query string and submit.
AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.

AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.
Security, Privacy and Encryption in Mobile Networks Gyan Ranjan Narus Inc. November 12, 2014 Narus Inc (A wholly owned subsidiary of the Boeing Company.)

Security, Privacy and Encryption in Mobile Networks Gyan Ranjan Narus Inc. November 12, 2014 Narus Inc (A wholly owned subsidiary of the Boeing Company.)
CS 142 Lecture Notes: HTTPSlide 1 HTTP Request GET /index.html HTTP/1.1 Host: User-Agent: Mozilla/5.0 Accept: text/html, */* Accept-Language:

CS 142 Lecture Notes: HTTPSlide 1 HTTP Request GET /index.html HTTP/1.1 Host: User-Agent: Mozilla/5.0 Accept: text/html, */* Accept-Language:
Understanding SharePoint 2013 Add-In Security Vulnerabilities

Understanding SharePoint 2013 Add-In Security Vulnerabilities
Www.incommon.org Shibboleth Training: Round Two 1 www.incommon.org.

Shibboleth Training: Round Two 1
How to Detect a Client’s Browser Senior Seminar CS498.

How to Detect a Client’s Browser Senior Seminar CS498.

Similar presentations

Ads by Google