Friday, March 15, 2013

Login CSRF Prevention - White Paper

Here is our first very first white paper - "Login CSRF Prevention – A Proposal"

Here is the abstract -


Cross site request forgery stands at 8th position in OWASP top 10 list of 2013. CSRF exploits trust relationship between an authenticated user and the website which provided the authentication. This papers aims at providing basic introduction of CSRF and, its special type, login CSRF along with preventive measures that are commonly being used. This paper will also introduce a new proposal of Login CSRF defense mechanism, a mechanism which aims at addressing the shortcomings with currently used approaches. This proposal can also be used to prevent standard CSRF attacks, there are certain trade offs though.


Please download complete white paper from here - http://hackvidhi.com/WhitePapers.php.


Please do share your feedback and comments, we will be happy to hear you!


-Archana

Thursday, March 14, 2013

HACKViDHi Course in Web Programming and Ethical Hacking


Hello friends,

After a break from blogging, we are back to share some good news with all of you. This week, the HACKViDHi Course in Web Programming and Ethical Hacking has received more than 150 enrollments. We are looking forward to many more curious guys and gals getting benefited from this free course. Keep spreading the word.
http://www.hackvidhi.com/courses.php

See you all in summer !!

- Richa

CSRF - Using Secret Tokens is NOT enough!!

I recently came across a popular e-Commerce site; they are using Secret Tokens to avoid CSRF possibility; still they are vulnerable to CSRF!! Oddly enough, they are not doing it right.

Sending a random token is not enough, it is also necessary to keep track of what token has been sent with what request i.e. with a particular request what token is expected to come. 


This is approximate approach that they are using to protect their site -



  • they have a collections of valid CSRF tokens.
  • with each request they send one of the CSRF tokens from the repository.
  • when the request is submitted they check whether the returned token belongs to their collection of token, if yes, then they just allow the request!!

Its very easy to circumvent this approach, just get hold of any of their valid tokens and play it with any valid CSRF request; your CSRF request will go through. 

Amazed by their approach, I did some analysis on CSRF token trends for 50 Indian websites which include -
  • top 20 eCommerce websites 
  • top 10 travel domain websites 
  • top 10 Matrimonial websites
  • top 10 Job portal websites
The results came up with interesting statistics. I will be sharing those stats in my upcoming blog post.

Stay tuned!

-Archana