H4ck a b4nk - Bartosz Zaczynski (Lunch&Learn 02.09.2016)

7

Click here to load reader

Transcript of H4ck a b4nk - Bartosz Zaczynski (Lunch&Learn 02.09.2016)

Page 1: H4ck a b4nk - Bartosz Zaczynski (Lunch&Learn 02.09.2016)

/GrandParadePolandwww.grandparade.co.uk

H4ck 4 B4nkCSRF - Cross-site request forgery Attack Simulation

Bartosz Zaczynski, Senior Software Developer at Grand Parade

Page 2: H4ck a b4nk - Bartosz Zaczynski (Lunch&Learn 02.09.2016)

CSRF - Cross-Site Request Forgery

/GrandParadePolandwww.grandparade.co.uk

Page 3: H4ck a b4nk - Bartosz Zaczynski (Lunch&Learn 02.09.2016)

Most Common Types of Attacks● SQL injection ● XSS (Cross-Site Scripting) ● CSRF (Cross-Site Request Forgery)

/GrandParadePolandwww.grandparade.co.uk

Page 4: H4ck a b4nk - Bartosz Zaczynski (Lunch&Learn 02.09.2016)

Feature: Facebook “Like” Button

1.User has logged in to his Facebook account.

2.User is surfing the net with Facebook kept open in a separate tab (or even closed as long as he checked “keep me logged in” option.)

3.User clicks the “Like” button embedded on a blog page he was reading. The browser will be happy to associate authentication cookie stored securely for facebook.com domain even though the request is coming from a different domain!

/GrandParadePolandwww.grandparade.co.uk

Page 5: H4ck a b4nk - Bartosz Zaczynski (Lunch&Learn 02.09.2016)

Bug: insecure form

1.User logs in to his bank account to check his balance.

2.User opens another tab and navigates to a malicious web site which looks innocent at a first glance.

3.The page knows the format of the request expected by the bank and issues it in the background. The browser uses authentication cookie to make the request in the same way as with Facebook “Like” button.

/GrandParadePolandwww.grandparade.co.uk

Page 6: H4ck a b4nk - Bartosz Zaczynski (Lunch&Learn 02.09.2016)

CSRF Token

● enforces that a request comes from the original web page provided by the server

● cannot be predictable ● must be unique per user session● applies to requests with side effects, e.g. POST● the server doesn't usually store the token, but uses a secret to

validate it● E.g. token := encrypt(session_id, salt)

/GrandParadePolandwww.grandparade.co.uk

Page 7: H4ck a b4nk - Bartosz Zaczynski (Lunch&Learn 02.09.2016)

CSRF Token

● enforces that a request comes from the original web page provided by the server

● cannot be predictable ● must be unique per user session● applies to requests with side effects, e.g. POST● the server doesn't usually store the token, but uses a secret to

validate it● E.g. token := encrypt(session_id, salt)

/GrandParadePolandwww.grandparade.co.uk