Understanding Cross Site Request Forgery
Nathan E Botts

Understanding Cross Site Request Forgery

Mechanics of a CSRF Attack

Cross site request forgery is one of those attacks which remains enormously effective yet is frequently misunderstood. I’ve been running a bunch of security workshops for web developers around the globe recently and this is one of the topics we cover that often results in blank stares when I first ask about it. It usually unfolds that the developers have multiple resources at risk of a CSRF attack and if it’s not a classic web form style resource, then it’s frequently an API somewhere (you’re passing anti-forgery tokens to any APIs you wouldn’t want fraudulently called, right?!)

I thought I’d record a quick (ok, half an hour is still quick for me!) and unedited walkthrough of the mechanics of CSRF and how ASP.NET deals with it in both MVC and Web Forms. The .NET bits are just examples of how anti-forgery tokens in hidden form fields and cookies work though so don’t worry if you live in another web stack, it’s the same fundamental defence. Here’s the vid:

For a great example of nasty CSRF and an attack style we’ve seen many times before now, check out how an attack campaign compromised 300,000 home routers, alters DNS settings.

If you’d like to have a play with CSRF yourself, that form I used in the vid is here: http://evilcyberhacker.com/csrf.html

The site I use to demo it is here: http://hackyourselffirst.troyhunt.com

If you’d like to read about CSRF in more detail, check out my 2010 post (crikey, is it that long already?!) on OWASP Top 10 for .NET developers part 5: Cross-Site Request Forgery (CSRF). If you have Pluralsight access, it’s in my course of the same name for the .NET folks or my Hack Yourself First course if you’d like a technology agnostic view of it. If you don’t have Pluralsight, firstly, what’s wrong with you?! :) And secondly, you can still get three months for free using this one neat trick… enjoy!

Link to original article

Previous Article Microsoft Regional Director
Next Article New Pluralsight course: Ethical Hacking, Denial of Service
Print
7091 Rate this article:
No rating
0Upvote 0Downvote
Please login or register to post comments.
All information, thought, and references provided on Health eConsultation is intended for informational and educational purposes only. Health eConsutlation currently makes no attempt at HIPAA privacy compliance. Any trade names used are information and details given for the convenience of users and do not constitute an endorsement from Health eConsultation.
Use this site at your own risk, and do not use the information to make medical or legal decisions without first seeking guidance from a medical or legal professional.
Plain and simple, ads are used to help pay for the cost of the server and resources required to serve Health eConsultation members and provide an objective resource of health information and health education. Subscribers of Health eConsultation can access the site without having to view ads.
OUR SERVICES
We are passionate about the therapeutic benefits that can be derived from appropriately applied health education .
More informed patients are healthier and less costly to provide care to.
We seek to give consumers and patients a voice, because in the end we are them.
Evidence based practices is what nurtures a thriving health system.

HEALTH IT EDUCATION - KNOWLEDGE IS POWER

 
WHO WE ARE
Health eConsultation members believe that health improvement is about patient knowledge, motivation and opportunity to act in concert with healthcare professionals to improve their condition.
OUR PURPOSE
Our primary purpose is to build a community around unbiased Health IT education so that people are able to focus on the information they need without having to navigate the vast amount of information that is available on the web.
LEVERAGE VS BUILD
Health eConsultation seeks to leverage responsible, engaging and, hopefully, motivating education, and information resources. The idea is not to scrape the content of other sites, but to investigate, synthesize, and report in order to create an evidence-base founded on increased rigor and research.
RESOURCES & REFERENCES
Health eConsultation educational material and website information are provided primarily through free resources, although some sites mentioned might require further registration and payment for particular membership or services.
DISCLAIMER
All information, thought, and references provided on Health eConsultation is intended for informational and educational purposes only. Health eConsutlation currently makes no attempt at HIPAA privacy compliance. Use this site at your own risk, and do not use the information to make medical decisions without first seeking guidance from a medical professonal.
CUSTOMIZED LEARNING
By registering with Health eConsultation you can participate in comments, ratings, and bookmarking. You can also keep track of the time that you spend learning about certain topics for your own records or to share whith health professionals you are working with.