Web security: 

CSRF attacks

Human Talks 
Grenoble 10/06/2014

Fabio Lombardi

About me

  • 2013 - ongoing:

   Research & Development Engineer @ Bonitasoft

  • Past:

  1 year and an half as Web Intrusion Tester Consultant
   Promo Ensimag and Polytechnic of Turin 2012 
   Master in IT Security and dev

Web security: owasp top 10

Open Web Application Security Project:  https://www.owasp.org/index.php/Top_10_2013-Top_10


Cross Site Request Forgery

attacker page

  • It could be a popular web site clone ( phishing tools ) + hidden iframe or img:

<iframe src=./attack_payload.html width=0 height=0> </iframe>

  • attack_payload.html:

  • action="http://my-site.com/..." works using the session cookie obtained from my-site.com page. 

Why It works?

It's a browser feature which is also used in  good ways:
e.g. Facebook like or Google + buttons in third parties websites.

The session is kept alive for multiple tabs


  • Malicious money transfers
  • User creation
  • Privilege escalation
  • Compromise end-user data
  • If the victim is an admin => the entire web application can be compromised

  • Examples (today fixed): ING direct, youtube, new york times


The attacker cannot:
  • read the session cookie
  • read the HTTP response

Based on this, the solution is to generate and exchange an X-API-Token ( unique and random ) shared between server and client


server example

client example

thank you


CSRF Attacks

By Fabio Lombardi

CSRF Attacks

  • 698
Loading comments...