CSRFT
A Cross Site Request Forgeries Toolkit
BSides London - 29th April 2014
Paul AMAR
What is this talk about?
- (Quick) Recap about CSRF attacks
-
Presentation of the tool
- Demos
-
Issues in Web architecture
-
Mitigation
-
Little surprise
Slides available here: paulsec.github.io/bsides-london-2014/
Who am i?
- (French) Student, M. Sc in Computer Science
- Passionate about (Web) Security
- Open source developer
Twitter: @PaulWebSec
Github: PaulSec
CSRF Recap
Fig. Exploitation of CSRF vulnerability
Why csrft?
I wanted something:
- Lightweight
- Cross-platform
- Open Source
- Can combine CSRF attacks
There was no toolkit for this...
how does it work?
Fig. Usage of CSRFT
how is it made ?
-
HTTP Server developed in Node.js
- Can fake either GET/POST Requests
- Creates payloads (forms) on-the-fly
- Client/Server side full JavaScript
- Communication in JSON
MORE features
- Can create scenarios
- By combining CSRF flaws
-
2 attack methods possible
-
Special value (craft specific payload)
Eg. Change user's password
-
Dictionary attacks
Eg. Try to log the user in
Additional tools
- JavaScript Proxy
Tampers with requests, injects Web page with malicious iframe
Inspired by Chema Alonso and his talk:
Owning Bad Guys {And Mafia} With Javascript Botnets @ Defcon 20
- Python utility
Command-line tool that automates usage
Time for some demos?
DEMO (1/2)
Custom Scenario
-
Try to attempt to log the user in
- Send some malicious payloads
- Log the user out
Completely transparent attack
Demo (2/2)
Demo using automated tool
Automated attack with the Python (command-line) Utility
Send a crafted request to change admin's password
bad design in web app (1/2)
the rest of the application
can then be targeted
bad design in web app (2/2)
Vulnerable if weak credentials
Mitigation
- Request Token
- Random generated token
- Verified on server-side
- One of the most-used mechanisms
- Re-Authentication
- If weak password? ... Not good!
-
Captcha, Timeout, NoScript (with) ABE
SURPRISE?
- Created a (vulnerable) VM
- Will be hosted on VulnHub
- Must exploit CSRF flaws to get root access..
Good luck!
Questions ?
Code available here: https://github.com/PaulSec/CSRFT/
CSRFT-BSides-London-2014
By paul38
CSRFT-BSides-London-2014
CSRFT Talk at BSides London
- 1,796