WHAT IS IT? ● Using a user's own access against them. ● Making a browser perform an action on a user's behalf, Using that user's credentials, Without said user knowing about it. (Until it's too late.)
HOW DOES IT WORK? ● Relies on the user already being logged in. ● Trick the user into visiting a URL, eg. Post a link in the comments, on the site's forum, etc. (Somewhere where they're likely to be logged in.)
WHAT'S THIS URL, THEN? ● If the site has user logins, you have actions the user can perform. eg. Editing their profile, posting a comment, accepting someone as a friend. ● Actions can be performed by forms (fill fields out and hit Submit), or by clicking a link (“Allow Friend”).
WHAT'S THIS URL, THEN? (Ct'd) ● Others are links, eg. http://www.example.com.au/ buddyzone/fzmodapi.php? m=4&f=3&r=82&nn=FRIENDLYGUY ● Visit this link, and you'll make FRIENDLYGUY your BuddyZone friend.
WHAT'S THIS URL, THEN? (Ct'd) ● Others are links, eg. http://www.example.com.au/ buddyzone/fzmodapi.php? m=4&f=3&r=82&nn=FRIENDLYGUY ● Visit this link, and you'll make FRIENDLYGUY your BuddyZone friend. THIS IS FRIENDLYGUY
COME OFF IT. NO-ONE'S GOING TO CLICK THAT. ● Yeah, you're right. ● Instead, use one of the many innocuous- looking URL-shortening services. ● http://www.example.com.au/ buddyzone/bzmodapi.php? m=4&f=3&r=82&nn=FRIENDLYGUY … is now: http://bit.ly/0MgWtF
OUCH. OK, HOW DO WE FIX IT? ● Use Form POST for doing actions that have side-effects. It makes the rest a lot easier. ● Session Tokens. ● Every time you generate a session, give the user a random token for that session. ● Every time you accept input, validate the token. If it doesn't validate, don't perform the action. ● An attacker can't predict the token, and so can't guess the needed form parameter value.
GIVE ME EXAMPLES, PLEASE. ● ASP.NET MVC Lucky bastards. In the view: <%= Html.AntiForgeryToken() %> In the controller, add this attribute to the action: [ValidateAntiForgeryToken]
GIVE ME EXAMPLES, PLEASE. ● PHP CodeIgniter (using Kyle Hasegawa's CSRF library) So we're almost as lucky. >:-| In the view: form_token(); In the controller action, add these: $this->load->library('form_validation'); $this->load->library('csrf'); if(!$this->form_validation->run()) { $oTVars = validation_errors(); } else { // Do the action }
damncabbage
takasehideki
tkikuchi1002
yuya4
onlinesalon
h1kita
aoshun7
you
s2terminal
yutoy
keiko713
nagix
toshi0383
bermonpainter
robhawkes
trallard
hursman
tammyeverts
chriscoyier
revolveconf
jeffersonlam
philnash
wjessup
ddemaree
rmw