/GrandParadePolandwww.grandparade.co.uk

H4ck 4 B4nkCSRF - Cross-site request forgery Attack Simulation

Bartosz Zaczynski, Senior Software Developer at Grand Parade

CSRF - Cross-Site Request Forgery

/GrandParadePolandwww.grandparade.co.uk

Most Common Types of Attacks● SQL injection ● XSS (Cross-Site Scripting) ● CSRF (Cross-Site Request Forgery)

/GrandParadePolandwww.grandparade.co.uk

Feature: Facebook “Like” Button

1.User has logged in to his Facebook account.

2.User is surfing the net with Facebook kept open in a separate tab (or even closed as long as he checked “keep me logged in” option.)

3.User clicks the “Like” button embedded on a blog page he was reading. The browser will be happy to associate authentication cookie stored securely for facebook.com domain even though the request is coming from a different domain!

/GrandParadePolandwww.grandparade.co.uk

Bug: insecure form

1.User logs in to his bank account to check his balance.

2.User opens another tab and navigates to a malicious web site which looks innocent at a first glance.

3.The page knows the format of the request expected by the bank and issues it in the background. The browser uses authentication cookie to make the request in the same way as with Facebook “Like” button.

/GrandParadePolandwww.grandparade.co.uk

CSRF Token

● enforces that a request comes from the original web page provided by the server

● cannot be predictable ● must be unique per user session● applies to requests with side effects, e.g. POST● the server doesn't usually store the token, but uses a secret to

validate it● E.g. token := encrypt(session_id, salt)

/GrandParadePolandwww.grandparade.co.uk

CSRF Token

● enforces that a request comes from the original web page provided by the server

● cannot be predictable ● must be unique per user session● applies to requests with side effects, e.g. POST● the server doesn't usually store the token, but uses a secret to

validate it● E.g. token := encrypt(session_id, salt)

/GrandParadePolandwww.grandparade.co.uk