Scribd Logo
Upload

Welcome to Scribd!

  • 1.2 CSRF-Slides

    Uploaded by

    Heo Quay
    12 views40 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views40 pages

    1.2 CSRF-Slides

    Uploaded by

    Heo Quay

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 40

    Cross-Site

    Request Forgery
    Attack (CSRF)

    CSRF Page 1
    Outline
    ❖ Cross-site requests
    ❖ CSRF attack
    ❖ Defense

    ❖ Reading: Chapter 10
    ❖ Lab: CSRF Attack Lab

    CSRF Page 2
    Lab Setup
    Target website: www.seed-server.com

    Attacker: www.attacker32.com

    Experiment: www.example32.com

    Add the following to /etc/hosts

    CSRF Page 3
    End

    CSRF Page 4
    Cross-Site
    Request

    CSRF Page 5
    Cross-Site Request and CSRF

    CSRF Page 6
    Session Hijacking Using CSRF

    CSRF Page 7
    CSRF Attacks on IoT Devices

    CSRF Page 8
    End

    CSRF Page 9
    Attack on GET
    Service

    CSRF Page 10
    Attack on GET Service
    ❖ GET versus POST

    ❖ Target GET service

    ❖ Forge GET request

    CSRF Page 11
    CSRF Page 12
    The Add-Friend HTTP Request
    ❖ Add-Friend service

    ❖ Investigation

    CSRF Page 13
    Forge GET Request
    ❖ Attack page (from Attacker's website)

    CSRF Page 14
    Demo: Lab Setup
    ❖ Lab Setup

    docker-compose.yml

    CSRF Page 15
    Demo: Attack
    ❖ Attacker's Page (http://www.attacker32.com)

    File: Labsetup/attacker/addfriend.html

    CSRF Page 16
    End

    CSRF Page 17
    Attack on POST
    Request

    CSRF Page 18
    Edit Profile

    CSRF Page 19
    Edit-Profile Form

    CSRF Page 20
    Edit-Profile POST Request

    CSRF Page 21
    Sending POST Requests

    CSRF Page 22
    CSRF Page 23
    Forging POST Requests

    CSRF Page 24
    Demo
    ❖ Attacker's Page (http://www.attacker32.com)

    File: Labsetup/attacker/editprofile.html

    CSRF Page 25
    End

    CSRF Page 26
    Countermeasures

    CSRF Page 27
    Fundamental Causes

    CSRF Page 28
    Ideas

    CSRF Page 29
    The Secret Token Approach

    CSRF Page 30
    Secret Token in Elgg
    ❖ Secret tokens in hidden fields

    <input name="__elgg_token" value="OK9egrRbJoU8GjTUjesyCQ" type="hidden">


    <input name="__elgg_ts" value="1617068038" type="hidden">

    ❖ Secret tokens in JavaScript code


    elgg = "config":{ … },
    "security": {"token": {"__elgg_ts": 1617068038,
    "__elgg_token":"OK9egrRbJoU8GjTUjesyCQ"}
    }, …

    ❖ Request
    http ://www.csrflabelgg.com/action/friends/add?friend=42
    &__elgg_ts=1617068038&__elgg_token=OK9egrRbJoU8GjTUjesyCQ

    CSRF Page 31
    The Password Approach

    CSRF Page 32
    Same-Site Cookie

    CSRF Page 33
    Same-Site Cookie Experiments
    ❖ Setting cookies
    From http://www.example32.com/

    ❖ Same-Site Requests
    From http://www.example32.com/testing.html

    CSRF Page 34
    ❖ Cross-Site Requests
    From: http://www.attacker32.com/testing.html

    CSRF Page 35
    End

    CSRF Page 36
    Review Questions
    and Summary

    CSRF Page 37
    Review Question
    In the edit-profile request, there is an user ID. Assume that this ID is a
    long random number generated by the server. The ID information can be
    found from the user’s page. If attackers do not know this user ID, can
    they still launch an CSRF attack on this service?

    CSRF Page 38
    Summary
    ❖ Cross-site requests
    ❖ Launch CSRF attacks on GET and POST services
    ❖ Fundamental causes and countermeasures
    ❖ Same-site cookies

    CSRF Page 39
    End

    CSRF Page 40

    You might also like