Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users.
2. Cross-Site Request Forgery
The OWASP Top 10 Web Application Security Risks
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session
Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
Security Risks
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage 2010
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer
Protection
A10: Unvalidated Redirects and
Forwards
Cross-Site Request Forgery CYBER GATES Page 2
3. Cross-Site Request Forgery
Description
Cross-Site Request Forgery (CSRF in short) is a kind of a
web application vulnerability which allows malicious
website to send unauthorized requests to a vulnerable
website using active session of its authorized users.
Example
<img src=”http://twitter.com/home?status=evil.com” style=”display:none”/>
Cross-Site Request Forgery CYBER GATES Page 3
5. Cross-Site Request Forgery
Usless defenses
Only accept POST
This stops simple link-based attacks (IMG, frames, etc.).
But hidden POST requests can be created with frames, scripts, etc.
Referrer checking
Some users prohibit referrers, so you can’t just require referrer
headers.
Techniques to selectively create HTTP request without referrers
exist.
Requiring multi-step transactions
CSRF attack can perform each step in order.
Cross-Site Request Forgery CYBER GATES Page 5
6. Cross-Site Request Forgery
Solutions
CAPTHCA systems
This is a type of challenge-response test used in computing to
ensure that the response is not generated by a computer.
One-time tokens
Unlike the CAPTCHA systems this is a unique number stored in
the web form field and in session to compare them after the
form submission.
Cross-Site Request Forgery CYBER GATES Page 6
8. Cross-Site Request Forgery &
FrameKillers
Description
FrameKillers are small piece of javascript codes used
to protect web pages from being framed.
Example
if (top.location != location){
top.location = self.location;
}
Cross-Site Request Forgery CYBER GATES Page 8
9. Cross-Site Request Forgery &
FrameKillers
Conditional statement
if (top != self)
if (top.location != self.location)
if (top.location != location)
if (parent.frames.length > 0)
if (window != top)
if (window.top !== window.self)
if (window.self != window.top)
if (parent && parent != window)
if (parent && parent.frames && parent.frames.length>0)
Cross-Site Request Forgery CYBER GATES Page 9
14. CYBER GATES
Contacts
Corporate website
www.cybergates.am
Company profile on Twitter
www.twitter.com/CyberGatesLLC
Company fan page on Facebook
www.facebook.com/Cyber.Gates.page
Company profile on LinkedIn
www.linkedin.com/company/CyberGates-LLC
Company channel on Vimeo
www.vimeo.com/CyberGates
Company channel on YouTube
www.youtube.com/TheCyberGates
Cross-Site Request Forgery CYBER GATES Page 14
15. „Be one step ahead in Security.“
www.cybergates.am