Complete Application Ownage via Multi-POST XSRF

SecTor 2015

Presented by: Adrien de Beaupré
Date: Tuesday October 20, 2015
Time: 13:25 - 14:25
Location: 801B
Track: Tech

This talk will discuss the risk posed by Cross Site Request Forgery (CSRF or XSRF) which is also known as session riding, or transaction injection. Many applications are vulnerable to XSRF, mitigation is difficult as it often requires re-engineering the entire application, and the threat they pose is often misunderstood. A live demo of identifying the vulnerability, and exploiting it by performing multiple unauthorized transactions in a single POST will be demonstrated.

Links

Adrien de Beaupré

Adrien de Beaupre is a certified SANS instructor and works as an independent consultant in beautiful Ottawa, Ontario. His work experience includes technical instruction, vulnerability assessment, penetration testing, intrusion detection, incident response, and forensic analysis. He is a member of the SANS Internet Storm Center (isc.sans.edu). Adrien is actively involved with the information security community, and organizes the BSidesOttawa conference. When not geeking out and breaking stuff he can be found with his family, or at the dojo.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats