View
1.494
Download
0
Category
Preview:
DESCRIPTION
It's the PPT of the presentation at Null Hyd June 2014 meet. I tried to make it as simple as i can :) Share if you like and please let me know your suggestions :)
Citation preview
Introduction to CSRFAttacks &defenses.
Who Am I ?
I’m P.B.Surya.Subhash, a 17 Year old Coder, Hacker and a student.
Certified by Microsoft and was offered a job by Yahoo, Dell , Slideshare and a couple of other MNC’s
Helped USA.Gov, Nic.in, NCSL, Netherlands.
pbssubhash@gmail.com
@pbssubhashFb.me/pbssubhash
Linkedin.com/in/pbssubhash
And many more…
• What’s CSRF ?
• Impact of CSRF
• How to test websites for CSRF ?
• Real time attack scenario of CSRF.
• Defenses against CSRF
• How to Bypass those defenses ?
• Using CSRF to compromise DSL Routers
• Conclusion
Agenda
What’s this CSRF ?
•Cross site request forgery abbreviated as CSRF and also known as Session Riding.
•Forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
Impact
A successful CSRF exploit can compromise end user data and operation in case of normal user.
If the targeted end user is the administrator account, this can compromise the entire web application.
That’s all ?
• Anything an authenticated user can do
• No restriction from same origin policy, except…
• Attackers cannot read responses from other origins
• Limited on what can be done with data
• Severe impact on accountability - Log entries reflect the actions a victim was tricked into executing
How to find these ? So lets break it !(root@null: rm –rf
/root/earth/security/)
Let’s Exploit it !
Killer Combination !
• Persistent Script Injection + CSRF = PWN3D
defenses The simplest one is to validate the Referrer header in the HTTP Request preventing the
request from unknown sources.
The most popular one remains the token.
Custom HTTP Header like X-Requested-By: My Site.com – Not so popular…
Same Orgin Policy.
Re-authentication
Captcha
Common Mistakes :-
• Not validating the token ..
• Not applying captcha properly.
Example :-
http://www.youtube.com/watch?v=zl0ARKQhoLA
Misconceptions – Defenses That Don’t Work
Only accept POST
Stops simple link-based attacks (IMG, frames, etc.)
But hidden POST requests can be created with frames, scripts, etc…
Referrer checking
Some users prohibit referrers, so you can’t just require referrer headers
Techniques to selectively create HTTP request without referrers exist
Requiring multi-step transactions
CSRF attack can perform each step in order
None of these approaches will sufficiently protect against CSRF!
Intro on How to Bypass those defenses ?
• Clickjacking
• Bypassing SOP • Insecure CrossDomain.XML
• Openly available exploits
• Bypassing the captcha
• Checking Token Validation
• Checking header Validation
• Converting POST based requests to GET based requests.
CSRF to compromise DSL Routers ?
• Home DSL routers aren't secure from specialized CSRF attacks. Once the DSL router is owned, attackers can have their way with
the internal network.
Initiate a connection to the new DSL router.Turn on remote management.Add a password to the Admin user account.
Demo Time
References :-
• https://en.wikipedia.org/wiki/Cross-site_request_forgery
• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
• https://docs.djangoproject.com/en/dev/ref/contrib/csrf/
• https://projects.webappsec.org/Cross-Site-Request-Forgery
• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
Anything to ask ?
Bye !
Please drop your suggestions at @pbssubhash (or) pbssubhash@gmail.com
Thank You!
Recommended