SlideShare uma empresa Scribd logo

CSRF

Transferir como PPTX, PDF
Dilan Warnakulasooriya
Dilan Warnakulasooriya

This document discusses cross-site request forgery (CSRF) and how to prevent it. It begins by explaining what CSRF is, how it exploits user authentication to make requests on a victim's behalf. It then demonstrates CSRF by having the user unknowingly click a link to perform actions on another site they are logged into. The document discusses how GET requests, POSTs, and JavaScript can all enable CSRF. It recommends making requests unique and non-repeatable to prevent CSRF. For web forms, it suggests using viewstate tied to session ID, and for MVC using anti-forgery tokens from both cookie and form values. Code demos are provided for CSRF prevention in web forms and M

Tecnologia
1 de 10
SEA SURFING HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE… Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology
What is it?  Cross Site Request Forgery – Sea Surrrrrfff  Attacker exploits the fact that the victim is authenticated to a website  Identifying the attacker can be difficult  What can it do?  Proxy requests/commands for the attacker from the victim’s browser  Even POSTS can be forged as GET requests in some cases  Web forms One Click Demo in module January 1, 2013 99X Technology(c) 2
How it is exploited?  Can be very simple – Image link in email, script on a blog, simple link  Attackers gets user to  Click a specially crafted link (or inject JavaScript to a site victim visits)  Execute a request (can be very simple as requesting an image url in email)  Innocently browsing a web site  Can users include hrefs or Image links to your site? Link to bad url  Ever click “view images” in an email?  All browsers happily send over credentials if already logged on  If already logged in (forms auth) the cookie is sent over even for an image request  Some are invisible! IE default setting January 1, 2013 99X Technology(c) 3
CSRF – HOW IT IS EXPLOITED? DEMO January 1, 2013 99X Technology(c) 4
CSRF – HOW IT IS EXPLOITED? DEMO – Repeatability is the key January 1, 2013 99X Technology(c) 5
CSRF – HOW IT IS EXPLOITED? DEMO – Piggyback with some other attack like XSS January 1, 2013 99X Technology(c) 6
CSRF – POSTs protect me  They do, don’t they? Don’t they? Hello?  MVC CSRF via XSS  Web Forms One Click attack  Page.IsPostBack doesn’t always tell the truth  A button click doesn’t always mean someone click the button January 1, 2013 99X Technology(c) 7
How do you prevent it?  All Web Apps  Ensure GET only retrieves a resource (as per HTTP Spec)  No state is modified  POSTS/PUT/DELETE can be forged, must take additional precautions  Try to make requests unique and non-repeatable  Web forms specific  ViewStateUserKey = Session.SessionId  ViewState then acts as a form token  Must protect the Session Ids(Using Encryption, Hashing)  Pages inherit from the base web page  SSL to prevent sniffing of ViewState & SessionId  MVC Specific  Anti-Forgery token uses form value AND cookie value  SSL to prevent from sniffing Anti-Forgery token January 1, 2013 99X Technology(c) 8
Web Forms – CSRF Prevention DEMO January 1, 2013 99X Technology(c) 9
MVC – CSRF Prevention DEMO January 1, 2013 99X Technology(c) 10

Recomendados

TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detectorguest31a5be
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing MsdAung Khant
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthanRaghunath G
 
Intro to Wordpress Security
Intro to Wordpress SecurityIntro to Wordpress Security
Intro to Wordpress SecurityChris Dodds
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingHarishKumar1779
 
Webmatrix 2 beta
Webmatrix 2 betaWebmatrix 2 beta
Webmatrix 2 betaTom Crombez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 

Recomendados

TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Introducing Malware Script Detector
Introducing Malware Script DetectorIntroducing Malware Script Detector
Introducing Malware Script Detectorguest31a5be
 
Introducing Msd
Introducing MsdIntroducing Msd
Introducing MsdAung Khant
 
Xss 101 by-sai-shanthan
Xss 101 by-sai-shanthanXss 101 by-sai-shanthan
Xss 101 by-sai-shanthanRaghunath G
 
Intro to Wordpress Security
Intro to Wordpress SecurityIntro to Wordpress Security
Intro to Wordpress SecurityChris Dodds
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingHarishKumar1779
 
Webmatrix 2 beta
Webmatrix 2 betaWebmatrix 2 beta
Webmatrix 2 betaTom Crombez
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Compassmarket 08-12
Compassmarket 08-12Compassmarket 08-12
Compassmarket 08-12thetradinforex
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
SSO To go
SSO To goSSO To go
SSO To goMarcus Deglos
 
Browser security
Browser securityBrowser security
Browser securityRitikRathaur
 
Phase 2
Phase 2Phase 2
Phase 2Gopal Krishna Potanaboyina
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website أحلام انصارى
 
Iniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linuxIniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linuxJames Jara
 
Secure coding
Secure codingSecure coding
Secure codingDilan Warnakulasooriya
 
Application security overview
Application security overviewApplication security overview
Application security overviewDilan Warnakulasooriya
 
Session Hijacking
Session HijackingSession Hijacking
Session HijackingDilan Warnakulasooriya
 
Application security overview
Application security overviewApplication security overview
Application security overviewDilan Warnakulasooriya
 
webscarab
webscarabwebscarab
webscarabDilan Warnakulasooriya
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingDilan Warnakulasooriya
 
Sql injection
Sql injectionSql injection
Sql injectionDilan Warnakulasooriya
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tamperingDilan Warnakulasooriya
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 

Mais conteúdo relacionado

Mais procurados

Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website أحلام انصارى
 
Iniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linuxIniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linuxJames Jara
 

Mais procurados (9)

Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana)
 
Compassmarket 08-12
Compassmarket 08-12Compassmarket 08-12
Compassmarket 08-12
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
 
SSO To go
SSO To goSSO To go
SSO To go
 
Browser security
Browser securityBrowser security
Browser security
 
Phase 2
Phase 2Phase 2
Phase 2
 
Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website Html5 offers 5 times better ways to hijack the website
Html5 offers 5 times better ways to hijack the website
 
Iniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linuxIniciar un servicio__start_service_linux
Iniciar un servicio__start_service_linux
 

Destaque

Destaque (8)

Secure coding
Secure codingSecure coding
Secure coding
 
Application security overview
Application security overviewApplication security overview
Application security overview
 
Session Hijacking
Session HijackingSession Hijacking
Session Hijacking
 
Application security overview
Application security overviewApplication security overview
Application security overview
 
webscarab
webscarabwebscarab
webscarab
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Sql injection
Sql injectionSql injection
Sql injection
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
 

Semelhante a CSRF

Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Boston Institute of Analytics
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kimjaxconf
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesVi Tính Hoàng Nam
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 

Semelhante a CSRF (20)

Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 

Último

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

CSRF

  • 1. SEA SURFING HOW VULNERABLE IS MY WEB APPLICATION FROM A DEVELOPER’S ANGLE… Dilan Warnakulasooriya Asanka Fernandopulle Information Security Engineer Senior Software Engineer 99X Technology 99X Technology
  • 2. What is it?  Cross Site Request Forgery – Sea Surrrrrfff  Attacker exploits the fact that the victim is authenticated to a website  Identifying the attacker can be difficult  What can it do?  Proxy requests/commands for the attacker from the victim’s browser  Even POSTS can be forged as GET requests in some cases  Web forms One Click Demo in module January 1, 2013 99X Technology(c) 2
  • 3. How it is exploited?  Can be very simple – Image link in email, script on a blog, simple link  Attackers gets user to  Click a specially crafted link (or inject JavaScript to a site victim visits)  Execute a request (can be very simple as requesting an image url in email)  Innocently browsing a web site  Can users include hrefs or Image links to your site? Link to bad url  Ever click “view images” in an email?  All browsers happily send over credentials if already logged on  If already logged in (forms auth) the cookie is sent over even for an image request  Some are invisible! IE default setting January 1, 2013 99X Technology(c) 3
  • 4. CSRF – HOW IT IS EXPLOITED? DEMO January 1, 2013 99X Technology(c) 4
  • 5. CSRF – HOW IT IS EXPLOITED? DEMO – Repeatability is the key January 1, 2013 99X Technology(c) 5
  • 6. CSRF – HOW IT IS EXPLOITED? DEMO – Piggyback with some other attack like XSS January 1, 2013 99X Technology(c) 6
  • 7. CSRF – POSTs protect me  They do, don’t they? Don’t they? Hello?  MVC CSRF via XSS  Web Forms One Click attack  Page.IsPostBack doesn’t always tell the truth  A button click doesn’t always mean someone click the button January 1, 2013 99X Technology(c) 7
  • 8. How do you prevent it?  All Web Apps  Ensure GET only retrieves a resource (as per HTTP Spec)  No state is modified  POSTS/PUT/DELETE can be forged, must take additional precautions  Try to make requests unique and non-repeatable  Web forms specific  ViewStateUserKey = Session.SessionId  ViewState then acts as a form token  Must protect the Session Ids(Using Encryption, Hashing)  Pages inherit from the base web page  SSL to prevent sniffing of ViewState & SessionId  MVC Specific  Anti-Forgery token uses form value AND cookie value  SSL to prevent from sniffing Anti-Forgery token January 1, 2013 99X Technology(c) 8
  • 9. Web Forms – CSRF Prevention DEMO January 1, 2013 99X Technology(c) 9
  • 10. MVC – CSRF Prevention DEMO January 1, 2013 99X Technology(c) 10