Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This lesson begins with a definition of cross site request forgery. This forces a logged on victims account to send a forged HTTP request to a vulnerable web application. Participants are also presented with a case study about PayPal. This happened in October of 2014 when Yasser Ali's blog told how it was able to hack these accounts with one click without being the real user.

Video Transcription

00:04
Hello and welcome to the cyber very secure coding course. My name is anywhere, and this is Boa's top 10 for 2013 a eight cross site request. Forgery Now. First, our definition
00:17
cross. I request forgery, by the way, is usually turned to see surf. Or you can also see it shone with an ex so C S R f or X s r f refer to the same thing.
00:30
So a sea surf attack forces a logged on victims browser to send a forged http request, including the victim's session cookie and any other automatically included authentication and from information
00:45
too vulnerable Web application.
00:48
This allows the attacker to force the victim's browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
00:58
We're gonna talk about the nuances of sea surf attacks. But the difference between sea surf attack
01:04
and the broken authentication type attacks that we saw earlier
01:08
is that in the case of Caesar,
01:11
there's actually
01:14
very little by way of authentication that's needed to be done.
01:19
And so jet. Generally speaking, it's really relying on the victim being logged into the targeted application
01:29
and
01:30
ah, and then piggybacking on that authenticated session. So if we take a look at the OAS charts, we can see that the
01:40
attack vector of exploit ability is average.
01:44
The technical impacts are moderate, but the weakness itself is very widespread.
01:52
Fortunately for secure code developers, it is easy to detect.
01:57
Now See Surf, as it mentions here, takes advantage of a Web application
02:04
that allows Attackers to predict all the details of a particular action.
02:10
Since browsers SIM credentials like session cookies automatically, Attackers can create malicious Web pages, which generate forged requests that are indistinguishable from legitimate ones.
02:25
So if we think about this, what the focus is here for a sea surf attack
02:31
is the actions that are done inside of a Web application.
02:38
So when we talked about
02:39
the session fixation and things like that, we were more focused on the cookie, whereas here were more focused on the operations of the Web application and the attacker is essentially
02:54
forcing
02:55
unintended operations made by the victim unbeknownst to them, and we can illustrate the scenario in the following way, starting at the top number one, our victim signs into their stock trade account,
03:12
and they leave their browser open to that site they don't sign off of their account and they don't close their browser.
03:22
Then step number two. The victim decides to open another tab in that browser and just happens to go to either a compromised, very well known new site, like CNN or or some other site
03:38
that may have some sort of injected I'm frame or malicious script on the page. And then the details of the request that are for the stock trade application are actually
03:54
executed
03:57
from the compromised news website. This is because the operations of the ABC trade website
04:08
our pre known by the attacker
04:10
and, of course, the ABC trade website doesn't have any kind of protection against sea surf attacks.
04:18
And so what happens is there's an auto load of the evil script in the background, this job script
04:26
that request some transfer of funds that are taken from the victim's stock trading account to the attacker own stock treaty account.
04:34
And
04:35
that script is at step number three, automatically executed by the browser and goes to the trade website on the Attackers Behalf
04:48
for the sample attack code for performing C sir attack.
04:54
Basically, you're going to see where an attacker would create a forged request
05:00
piggybacking on that logged in victim. And, of course, the request is going to match
05:08
the operation format that the targeted website is expecting.
05:15
So it could be injected HTML, as what's shown here could be injected JavaScript or JavaScript function that gets invoked.
05:27
But basically whatever is injected into the legitimate session
05:32
will allow or perform unintended requests
05:39
that are then sent to that targeted Web server by the victim, using the victim's legitimate session
05:46
without the victim's knowledge or consent.
05:50
Now our case study is Pei Pao.
05:54
Basically pay Pal had put in an anti see serve token to combat see surf attacks.
06:01
The problem was that the token could be easily acquired even before logging in. This particular researcher actually discovered this was able to create
06:15
a successful request with an actual forged see serve token that he had gotten from a response prior to even logging in, and he was able to prove that he could bypass
06:31
there. There ain t C serve token mechanism and perform operations in papal without being the legitimate user.
06:44
And so there were actually several design flaws in this particular implementation of
06:50
in anti See serve token,
06:54
but it's a good example how, even if you implement
06:58
some anti Caesar of tokens, you do have to ensure that they are done properly,
07:04
that they're done securely. That password resets are taken into account,
07:10
that tokens air changed upon log in
07:14
and that these different scenarios that are looked at and tested on prior to go into production.
07:20
So now we're gonna move into the demo portion of our module.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor