Introduction to CSRFAttacks &defenses.

Who Am I ?

I’m P.B.Surya.Subhash, a 17 Year old Coder, Hacker and a student.

Certified by Microsoft and was offered a job by Yahoo, Dell , Slideshare and a couple of other MNC’s

Helped USA.Gov, Nic.in, NCSL, Netherlands.

pbssubhash@gmail.com

@pbssubhashFb.me/pbssubhash

Linkedin.com/in/pbssubhash

And many more…

• What’s CSRF ?

• Impact of CSRF

• How to test websites for CSRF ?

• Real time attack scenario of CSRF.

• Defenses against CSRF

• How to Bypass those defenses ?

• Using CSRF to compromise DSL Routers

• Conclusion

Agenda

What’s this CSRF ?

•Cross site request forgery abbreviated as CSRF and also known as Session Riding.

•Forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.

Impact

A successful CSRF exploit can compromise end user data and operation in case of normal user.

If the targeted end user is the administrator account, this can compromise the entire web application.

That’s all ?

• Anything an authenticated user can do

• No restriction from same origin policy, except…

• Attackers cannot read responses from other origins

• Limited on what can be done with data

• Severe impact on accountability - Log entries reflect the actions a victim was tricked into executing

How to find these ? So lets break it !(root@null: rm –rf

/root/earth/security/)

Let’s Exploit it !

Killer Combination !

• Persistent Script Injection + CSRF = PWN3D

defenses The simplest one is to validate the Referrer header in the HTTP Request preventing the

request from unknown sources.

The most popular one remains the token.

Custom HTTP Header like X-Requested-By: My Site.com – Not so popular…

Same Orgin Policy.

Re-authentication

Captcha

Common Mistakes :-

• Not validating the token ..

• Not applying captcha properly.

Example :-

http://www.youtube.com/watch?v=zl0ARKQhoLA

Misconceptions – Defenses That Don’t Work

Only accept POST

Stops simple link-based attacks (IMG, frames, etc.)

But hidden POST requests can be created with frames, scripts, etc…

Referrer checking

Some users prohibit referrers, so you can’t just require referrer headers

Techniques to selectively create HTTP request without referrers exist

Requiring multi-step transactions

CSRF attack can perform each step in order

None of these approaches will sufficiently protect against CSRF!

Intro on How to Bypass those defenses ?

• Clickjacking

• Bypassing SOP • Insecure CrossDomain.XML

• Openly available exploits

• Bypassing the captcha

• Checking Token Validation

• Checking header Validation

• Converting POST based requests to GET based requests.

CSRF to compromise DSL Routers ?

• Home DSL routers aren't secure from specialized CSRF attacks. Once the DSL router is owned, attackers can have their way with

the internal network.

Initiate a connection to the new DSL router.Turn on remote management.Add a password to the Admin user account.

Demo Time

References :-

• https://en.wikipedia.org/wiki/Cross-site_request_forgery

• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

• https://docs.djangoproject.com/en/dev/ref/contrib/csrf/

• https://projects.webappsec.org/Cross-Site-Request-Forgery

• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

Anything to ask ?

Bye !

Please drop your suggestions at @pbssubhash (or) pbssubhash@gmail.com

Thank You!