Hello and welcome to the side. Very secure coding. Course my name Miss anywhere. And this is a loss. Top 10 for 2013
a eight cross site request. Forgery, demo,
Sea surf attack via injected Java script.
add to your blawg. Now, before you go there, I want to actually show you
the poll question, Paige, because what I'm going to demonstrate is
in action that is for this particular page.
But I'm going to do it behind the scenes in a script in a job script function that
is unaware to the user because the user is going to be on a completely different page, which is add to your blog's.
Now. First, let me show you the code for the jobs group function that we're going to insert.
And what I've done is I've actually modified this original script
and included the I P address of where I'm running Mattila Day.
But basically, all the script does is it duplicates what the request would look like to send a vote on that pole that we looked at on the other page.
So we're sending it as you get
and we've got some hidden values in here for the actual PHP that runs the page
and then some other values that would be looked at in the application code.
The Caesar of Token. Of course, because this is security, level zero is going to be blank. And there you can see that it's blank,
and then we have some input values,
and then what? We're going to vote. And so,
uh, J d you see, there's our Jeremy's initials there.
And then finally, the the submit button,
and then the form is going to be submitted. So and then this last part is actually where
the hook is, if you will, to get
wth e to get the authenticated user to actually make this sea surf attack
and that's going to occur within on mouse over.
So we're actually going to insert
some text into the blawg,
and so when the user hovers over that text,
then this send see surf function
is going to be invoked and so behind the scenes,
there's actually going to be a submission for voting for a particular security tool.
And so this is a really good
way to help developers understand how
rely on a lot of conditions one condition being that
the legitimate user is logged into
the targeted website,
Um And so because in a sea surf attack,
you're piggybacking on an authenticated user session. So let's go ahead and see this in action.
So the first thing I'm gonna do is go ahead and turn my intercept on and burp sweet
Now I'm going to take that entire
function that I had here,
including the script part and the mouse over.
I'm going to place it in the decoder, which I already have here. But I'll do it again just so that you can see
okay. And I have you are Ln coded it. So you just
in code you are well and you'll get this.
I'm actually going to upend it
to the end of the string.
Hi, I'm the route user.
Okay, so I'm gonna put it right before the next parameter
and then I'm going to forward that.
And what you can see has happened is
I now have the text. Hi, I am the route user.
But I also have that on mouse over string. That was at the end.
And so I know that as soon as I have her over that it's going to invoke
my sea surf function.
So watch very carefully. I'm going to have her now, and there we go.
And so we came to this page. Now the pages getting displayed for you, this user poll on purpose so that you can realize that this is how the attack is done. But normally the user would not be notified that
a job script had just been executed behind the scenes.
we can see that we were successful in the sea surf attack.
Now, another thing to remember is that in sea surf attacks Ah, lot of Times Theater. Acker writes scripts for actions to be done or operations to be done
on websites that are targeted, and so it's generally gonna be a different website than just within the same application. So we We did this operation in the same application, but normally it's gonna be a different one. And they're hoping
that you have multiple tabs open
and that you are authenticated into different websites within the same browser.
So it is a bit of a shot in the dark, but given enough tries, this attack obviously is successful.