Presentation is loading. Please wait.

Presentation is loading. Please wait.

AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.

Published byRoss Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery."— Presentation transcript:

1 AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery

2 Introduction { “Name” : “Danny Chrastil”, “Title” : “Senior Security Consultant”, “Company” : “HP Fortify”, “Hobbies” : [ { “hobby” : “Python Scripting Junkie” }, { “hobby” : “OpenSource Intelligence Advocate” }, { “hobby” : “BeeKeeping” } ] }

3 What is CSRF?

4 CSRF Misfortunes Misunderstood by many Testers Difficult for Developers Often incorrectly defended Sounds like fun! … eh? What is CSRF?

5 “Cross-site Request Forgery is a vulnerability in a website that allows attackers to force victims to perform security-sensitive actions on the Internet without their knowledge.” How do we define CSRF? - Daniel Miessler

6 An Example CSRF Evil Site Evil Request Normal Request / Response Normal Request Evil Response

7 HTTP is a session-less protocol Applications use cookies Cookies sent with every request All cookies are sent for the domain What makes CSRF possible? *** Requests come from the USER! ***

8 An Example CSRF Evil Site Evil Request Normal Request / Response Normal Request Evil Response Cookie: sessionid=dIG4nCMP7Ffq4MhmbQXHZrCY1

9 Force the user to logout http://x.x.x.x/csrf1/index.php CSRF Exercise #1

10 GET Requests – POST Requests – Hidden HTML form Other – Javascript / AJAX Calls Other Attack Vectors

11 Create an Admin user http://x.x.x.x/csrf2/index.php CSRF Exercise #2

12 Right way – CSRF Token outside HTML headers – Unique to each session / request – Double submit cookies Wrong way – CSRF Token inside HTML headers – Multiple step requests – POST only requests Defenses

13 Wrap it up! – CSRF requests come from the USER – Check all sensitive request for CSRF – Are defenses setup properly? Conclusion

Download ppt "AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Understanding SharePoint 2013 Add-In Security Vulnerabilities

Understanding SharePoint 2013 Add-In Security Vulnerabilities
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Similar presentations

Ads by Google