CSRF: Cross Site Request Forgery

00:00

Hello and welcome back to the course, identifying Web attacks through logs.

00:06

In the last video, we talked about cross site scripting attacks.

00:09

In this video, we will discuss cross site request forgery.

00:13

Let's start with the learning objectives.

00:15

The learning objectives are to review cross that request forgery and to identify the attacks through log analysis,

00:22

cross site request forgery exploits the trust between the Web server and the user browser.

00:27

Suppose that you access your interactive bank website.

00:30

Everything goes okay, you do whatever you need to do,

00:33

but afterwards you access a malicious website.

00:36

This malicious website will try to send a malicious command through your Web browser.

00:41

Your Web browser will execute the command.

00:43

This malicious command could be a money transfer to the Attackers account.

00:48

The user won't see the request, and

00:50

this could all happen because the bank website

00:52

trusts the user's browser.

00:54

Maybe you're thinking

00:56

cross that request. Forgery is the same thing as cross site scripting, right?

01:02

Well, even if the name is similar, the attack is different.

01:07

In cross site request Forgery,

01:08

the source of the attack does not directly connect to the Web surfer.

01:14

That's why the name is

01:15

forgery

01:19

in our lab, we have a vulnerable Web application.

01:23

In this case, the vulnerability allows for the changing of the user's password.

01:27

First, let's see the logs of a normal request.

01:32

The two first lines are the log on in the access to the Web vulnerable Web page.

01:37

The next line is the user changing the password.

01:40

We can see the clients i p address the requested file with the password change and the refer.

01:46

Also, take a look at the time.

01:49

The next log is a malicious request.

01:51

You can see the same I P address and another request to change the password.

01:56

Can you identify another difference between the two logs?

02:00

One of the differences is the password.

02:04

Another difference is the refer

02:06

here. We don't have the refer, and this new password change request happened sometime after before the first request.

02:15

In summary,

02:17

how do you identify cross site request forgery?

02:22

Well, the refer is the best way to identify.

02:25

If you notice an unexpected refer,

02:28

it's a good indication that something is wrong.

02:30

Another thing is different. Behavior from the user, like changing or trying to change the password many times in a small period of time or the same actions in a small period of time.

02:42

Post assessment question.

02:45

Cross site request. Forgery attacks on Lee happen if the user browser is compromised.

02:52

Is this affirmation true

02:53

or false?

02:55

This affirmation is false.

02:59

Most of the time the attack will happen because the user connected to a malicious website.

03:06

For the next question, analyze the weblog below and identify the possible attack type.

03:12

Here you have to post methods, both trying to log into a Web page

03:15

and with more than one minute of difference between the two requests.

03:20

Also notice that the refer changes

03:23

This could be a cross site request forgery attack Using the Post request.

03:28

The source of the attack is the Web page. Little cut dogs calm.

03:32

Since this is a post request,

03:35

we can't see the user or the password sent by the malicious Web server that hosts the Little Cut Dogs Website

03:42

Video Summary.

03:43

In this video, we discussed cross site request forgery attacks and identified the attacks by analyzing Web server logs.