CSRF Basics
•
4 likes•3,990 views
null Pune Chapter - August 2012 Meet
Recommended
More Related Content
What's hot
What's hot (20)
Similar to CSRF Basics
Similar to CSRF Basics (20)
More from n|u - The Open Security Community
More from n|u - The Open Security Community (20)
Recently uploaded
Recently uploaded (20)
CSRF Basics
- 1. Csrf / Xsrf Basics --by Jovin Lobo
- 2. Definition : “CSRF / XSRF (Cross-Site Request Forgery) is a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users.” --- Samvel Gevorgyan
- 3. OWASP describes CSRF as .... CSRF is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf like change the victim's e-mail address, home address, or password..etc So basically CSRF attacks target functions that cause a state change on the server but can also be used to access sensitive data.
- 5. DEMO
- 6. Prevention techniques that SUCK !!! ✗ Secret cookies ✗ Accepting only POST requests ✗ Multi-Step transactions
- 7. Then how do we prevent it ?? “Adding any 'unpredictable' parameter to the requests should solve the problem............... What Say ??”
- 8. Some prevention techniques that DO NOT SUCK ... ✔ Challenge-Response : ➢ Re- Authentication. ➢ Implement CAPTCHAS. ✔ Synchronizer Token Pattern
- 9. Synchronizer Token Pattern Its a Server-Side Solution. Concept: Establish a token on the server side that indicates a valid submission, and give a token signature to the client that corresponds to that token (most likely in a hidden input field). When the client submits their form, the server validates their token and proceeds. It then marks the token as invalid so it may not be used again. The result is that any given form may only be used once and then will not work again.
- 11. Control flow with invalid tokens Ref : http://pg-server.csc.ncsu.edu/mediawiki/index.php/Image:Negative_flow.png
- 12. QUESTIONS ??
- 13. References: ● https://www.owasp.org/index.php/Cross-Site_Request_Forgery_ %28CSRF%29_Prevention_Cheat_Sheet ● http://tournasdimitrios1.wordpress.com/2012/02/16/preventing- cross-site-request-forgeries-in-php/ ● http://pg- server.csc.ncsu.edu/mediawiki/index.php/CSC/ECE_517_Fall_2009 /wiki2_3_b5
- 14. THANK YOU