A Cross Site Request Forgeries Toolkit
BSides London - 29th April 2014
What is this talk about?
- (Quick) Recap about CSRF attacks
Presentation of the tool
Issues in Web architecture
Slides available here: paulsec.github.io/bsides-london-2014/
Who am i?
- (French) Student, M. Sc in Computer Science
- Passionate about (Web) Security
- Open source developer
Fig. Exploitation of CSRF vulnerability
I wanted something:
- Open Source
- Can combine CSRF attacks
There was no toolkit for this...
how does it work?
Fig. Usage of CSRFT
how is it made ?
HTTP Server developed in Node.js
- Can fake either GET/POST Requests
- Creates payloads (forms) on-the-fly
- Can create scenarios
2 attack methods possible
Special value (craft specific payload)
Eg. Change user's password
Eg. Try to log the user in
Try to attempt to log the user in
- Send some malicious payloads
- Log the user out
Completely transparent attack
Demo using automated tool
Automated attack with the Python (command-line) Utility
Send a crafted request to change admin's password
- Request Token
- Random generated token
- Verified on server-side
- One of the most-used mechanisms
- If weak password? ... Not good!
Captcha, Timeout, NoScript (with) ABE
- Created a (vulnerable) VM
- Will be hosted on VulnHub
- Must exploit CSRF flaws to get root access..