A Cross Site Request Forgeries Toolkit
BSides London - 29th April 2014
What is this talk about?
- (Quick) Recap about CSRF attacks
Presentation of the tool
Issues in Web architecture
Slides available here: paulsec.github.io/bsides-london-2014/
Who am i?
- (French) Student, M. Sc in Computer Science
- Passionate about (Web) Security
- Open source developer
I wanted something:
- Open Source
- Can combine CSRF attacks
There was no toolkit for this...
how does it work?
how is it made ?
HTTP Server developed in Node.js
- Can fake either GET/POST Requests
- Creates payloads (forms) on-the-fly
- Communication in JSON
- Can create scenarios
- By combining CSRF flaws
2 attack methods possible
Special value (craft specific payload)
Eg. Change user's password
Eg. Try to log the user in
Tampers with requests, injects Web page with malicious iframe
Inspired by Chema Alonso and his talk:
- Python utility
Command-line tool that automates usage
Time for some demos?
Try to attempt to log the user in
- Send some malicious payloads
- Log the user out
Completely transparent attack
Demo using automated tool
bad design in web app (1/2)
No token in login form
the rest of the application
can then be targeted
bad design in web app (2/2)
No token to change password
Vulnerable if weak credentials
- Request Token
- Random generated token
- Verified on server-side
- One of the most-used mechanisms
- If weak password? ... Not good!
Captcha, Timeout, NoScript (with) ABE
- Created a (vulnerable) VM
- Will be hosted on VulnHub
- Must exploit CSRF flaws to get root access..
Code available here: https://github.com/PaulSec/CSRFT/