Introduction to CSRF Attacks & Defense
•Download as PPTX, PDF•
8 likes•3,553 views
It's the PPT of the presentation at Null Hyd June 2014 meet. I tried to make it as simple as i can :) Share if you like and please let me know your suggestions :)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (14)
Similar to Introduction to CSRF Attacks & Defense
Similar to Introduction to CSRF Attacks & Defense (20)
Recently uploaded
Recently uploaded (20)
Introduction to CSRF Attacks & Defense
- 1. Introduction to CSRF Attacks &defenses.
- 2. Who Am I ? I’m P.B.Surya.Subhash, a 17 Year old Coder, Hacker and a student. Certified by Microsoft and was offered a job by Yahoo, Dell , Slideshare and a couple of other MNC’s Helped USA.Gov, Nic.in, NCSL, Netherlands. pbssubhash@gmail.com@pbssubhashFb.me/pbssubhashLinkedin.com/in/pbssubhash
- 4. • What’s CSRF ? • Impact of CSRF • How to test websites for CSRF ? • Real time attack scenario of CSRF. • Defenses against CSRF • How to Bypass those defenses ? • Using CSRF to compromise DSL Routers • Conclusion Agenda
- 5. What’s this CSRF ? •CrosssiterequestforgeryabbreviatedasCSRFandalsoknownasSession Riding. •Forcesanendusertoexecuteunwantedactionsonawebapplicationin whichhe/sheiscurrentlyauthenticated.
- 6. Impact A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
- 7. That’s all ? • Anythinganauthenticatedusercando • Norestrictionfromsameoriginpolicy,except… • Attackerscannotreadresponsesfromotherorigins • Limitedonwhatcanbedonewithdata • Severeimpactonaccountability-Logentriesreflecttheactionsavictimwastrickedinto executing
- 8. How to find these ?So lets break it ! (root@null: rm –rf /root/earth/security/)
- 9. Let’s Exploit it !
- 10. Killer Combination ! • Persistent Script Injection + CSRF = PWN3D
- 11. defenses The simplest one is to validate the Referrer header in the HTTP Request preventing the request from unknown sources. The most popular one remains the token. Custom HTTP Header like X-Requested-By: My Site.com – Not so popular… Same Orgin Policy. Re-authentication Captcha
- 12. Common Mistakes :- • Not validating the token .. • Not applying captcha properly. Example :- http://www.youtube.com/watch?v=zl0ARKQhoLA
- 13. Misconceptions – Defenses That Don’t Work Only accept POST Stops simple link-based attacks (IMG, frames, etc.) But hidden POST requests can be created with frames, scripts, etc… Referrer checking Some users prohibit referrers, so you can’t just require referrer headers Techniques to selectively create HTTP request without referrers exist Requiring multi-step transactions CSRF attack can perform each step in order None of these approaches will sufficiently protect against CSRF!
- 14. Intro on How to Bypass those defenses ? • Clickjacking • Bypassing SOP • Insecure CrossDomain.XML • Openly available exploits • Bypassing the captcha • Checking Token Validation • Checking header Validation • Converting POST based requests to GET based requests.
- 15. CSRF to compromise DSL Routers ? • Home DSL routers aren't secure from specialized CSRF attacks. Once the DSL router is owned, attackers can have their way with the internal network. Initiate a connection to the new DSL router. Turn on remote management. Add a password to the Admin user account.
- 16. Demo Time
- 17. References :- • https://en.wikipedia.org/wiki/Cross-site_request_forgery • https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) • https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ • https://projects.webappsec.org/Cross-Site-Request-Forgery • https://www.owasp.org/index.php/Cross- Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
- 18. Anything to ask ?
- 19. Bye ! Please drop your suggestions at @pbssubhash (or) pbssubhash@gmail.com Thank You!