Professional Documents
Culture Documents
Request Forgery
Attack (CSRF)
CSRF Page 1
Outline
❖ Cross-site requests
❖ CSRF attack
❖ Defense
❖ Reading: Chapter 10
❖ Lab: CSRF Attack Lab
CSRF Page 2
Lab Setup
Target website: www.seed-server.com
Attacker: www.attacker32.com
Experiment: www.example32.com
CSRF Page 3
End
CSRF Page 4
Cross-Site
Request
CSRF Page 5
Cross-Site Request and CSRF
CSRF Page 6
Session Hijacking Using CSRF
CSRF Page 7
CSRF Attacks on IoT Devices
CSRF Page 8
End
CSRF Page 9
Attack on GET
Service
CSRF Page 10
Attack on GET Service
❖ GET versus POST
CSRF Page 11
CSRF Page 12
The Add-Friend HTTP Request
❖ Add-Friend service
❖ Investigation
CSRF Page 13
Forge GET Request
❖ Attack page (from Attacker's website)
CSRF Page 14
Demo: Lab Setup
❖ Lab Setup
docker-compose.yml
CSRF Page 15
Demo: Attack
❖ Attacker's Page (http://www.attacker32.com)
File: Labsetup/attacker/addfriend.html
CSRF Page 16
End
CSRF Page 17
Attack on POST
Request
CSRF Page 18
Edit Profile
CSRF Page 19
Edit-Profile Form
CSRF Page 20
Edit-Profile POST Request
CSRF Page 21
Sending POST Requests
CSRF Page 22
CSRF Page 23
Forging POST Requests
CSRF Page 24
Demo
❖ Attacker's Page (http://www.attacker32.com)
File: Labsetup/attacker/editprofile.html
CSRF Page 25
End
CSRF Page 26
Countermeasures
CSRF Page 27
Fundamental Causes
CSRF Page 28
Ideas
CSRF Page 29
The Secret Token Approach
CSRF Page 30
Secret Token in Elgg
❖ Secret tokens in hidden fields
❖ Request
http ://www.csrflabelgg.com/action/friends/add?friend=42
&__elgg_ts=1617068038&__elgg_token=OK9egrRbJoU8GjTUjesyCQ
CSRF Page 31
The Password Approach
CSRF Page 32
Same-Site Cookie
CSRF Page 33
Same-Site Cookie Experiments
❖ Setting cookies
From http://www.example32.com/
❖ Same-Site Requests
From http://www.example32.com/testing.html
CSRF Page 34
❖ Cross-Site Requests
From: http://www.attacker32.com/testing.html
CSRF Page 35
End
CSRF Page 36
Review Questions
and Summary
CSRF Page 37
Review Question
In the edit-profile request, there is an user ID. Assume that this ID is a
long random number generated by the server. The ID information can be
found from the user’s page. If attackers do not know this user ID, can
they still launch an CSRF attack on this service?
CSRF Page 38
Summary
❖ Cross-site requests
❖ Launch CSRF attacks on GET and POST services
❖ Fundamental causes and countermeasures
❖ Same-site cookies
CSRF Page 39
End
CSRF Page 40