Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

In this lesson, participants receive a demo of a CSRF attack via an injected JavaScript. Using the mutillidea page Add to Your Blog, participants receive step by step instructions in doing this in a behind the scenes JavaScript function, which the user is completely unaware of.

Video Transcription

00:04
Hello and welcome to the side. Very secure coding. Course my name Miss anywhere. And this is a loss. Top 10 for 2013
00:13
a eight cross site request. Forgery, demo,
00:17
Sea surf attack via injected Java script.
00:22
This is the demo for sea surf attack via an injected JavaScript.
00:28
We're going to use
00:31
the utility. A page
00:33
add to your blawg. Now, before you go there, I want to actually show you
00:39
the poll question, Paige, because what I'm going to demonstrate is
00:45
a
00:46
in action that is for this particular page.
00:51
But I'm going to do it behind the scenes in a script in a job script function that
00:59
is unaware to the user because the user is going to be on a completely different page, which is add to your blog's.
01:08
Now. First, let me show you the code for the jobs group function that we're going to insert.
01:18
So this is my JavaScript function course. I've got my starting script tag, the function Amis sind sie, sir.
01:29
And what I've done is I've actually modified this original script
01:34
and included the I P address of where I'm running Mattila Day.
01:41
But basically, all the script does is it duplicates what the request would look like to send a vote on that pole that we looked at on the other page.
01:53
So we're sending it as you get
01:56
and we've got some hidden values in here for the actual PHP that runs the page
02:06
and then some other values that would be looked at in the application code.
02:12
The Caesar of Token. Of course, because this is security, level zero is going to be blank. And there you can see that it's blank,
02:22
and then we have some input values,
02:24
and then what? We're going to vote. And so,
02:29
uh, J d you see, there's our Jeremy's initials there.
02:34
And then finally, the the submit button,
02:38
and then the form is going to be submitted. So and then this last part is actually where
02:46
the hook is, if you will, to get
02:50
wth e to get the authenticated user to actually make this sea surf attack
02:58
happened,
03:00
and that's going to occur within on mouse over.
03:05
So we're actually going to insert
03:08
some text into the blawg,
03:12
and so when the user hovers over that text,
03:17
then this send see surf function
03:22
is going to be invoked and so behind the scenes,
03:25
there's actually going to be a submission for voting for a particular security tool.
03:31
And so this is a really good
03:35
way to help developers understand how
03:38
house
03:40
Caesar. If attacks
03:43
rely on a lot of conditions one condition being that
03:46
the legitimate user is logged into
03:52
there
03:53
the targeted website,
03:57
Um And so because in a sea surf attack,
04:00
you're piggybacking on an authenticated user session. So let's go ahead and see this in action.
04:11
So the first thing I'm gonna do is go ahead and turn my intercept on and burp sweet
04:15
and I'm going to
04:21
Hi, I'm the boot
04:25
user.
04:27
Save my blawg
04:29
Captures it
04:31
Now I'm going to take that entire
04:35
function that I had here,
04:40
including the script part and the mouse over.
04:46
I'm going to place it in the decoder, which I already have here. But I'll do it again just so that you can see
04:59
okay. And I have you are Ln coded it. So you just
05:02
in code you are well and you'll get this.
05:08
Then I'm going to
05:15
I'm actually going to upend it
05:18
to the end of the string.
05:23
Hi, I'm the route user.
05:26
Okay, so I'm gonna put it right before the next parameter
05:33
and then I'm going to forward that.
05:43
And what you can see has happened is
05:46
I now have the text. Hi, I am the route user.
05:51
But I also have that on mouse over string. That was at the end.
05:59
And so I know that as soon as I have her over that it's going to invoke
06:04
my sea surf function.
06:08
So watch very carefully. I'm going to have her now, and there we go.
06:13
And so we came to this page. Now the pages getting displayed for you, this user poll on purpose so that you can realize that this is how the attack is done. But normally the user would not be notified that
06:31
a job script had just been executed behind the scenes.
06:35
And so
06:38
we can see that we were successful in the sea surf attack.
06:42
Now, another thing to remember is that in sea surf attacks Ah, lot of Times Theater. Acker writes scripts for actions to be done or operations to be done
06:54
on websites that are targeted, and so it's generally gonna be a different website than just within the same application. So we We did this operation in the same application, but normally it's gonna be a different one. And they're hoping
07:13
that you have multiple tabs open
07:15
and that you are authenticated into different websites within the same browser.
07:23
So it is a bit of a shot in the dark, but given enough tries, this attack obviously is successful.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor