Thursday, October 17, 2013

CSRF Proof of Concept with OWASP ZAP

1. Introduction

This article introduces CSRF (cross-site request forgery) vulnerability and demonstrates how to prepare a CSRF proof of concept with OWASP ZAP.

2. Cross-site request forgery

The vulnerability allows an attacker to forge a user request. Consequently, the user does what the attacker wants. Here’s an example:

I. Social engineering is used to lure the user to the attacker’s website. Simultaneously, the user is logged in to bank X.
II. Let’s assume, that the bank X’s money transfer form is vulnerable to CSRF (no CSRF token, no authorization password). The attacker prepares an exploit that transfers the user’s money to his account and puts it on his website.
III. When the user visits the site of the attacker, the exploit is launched.
IV. The request of money transfer is sent by the user to bank X. From the perspective of bank X, everything is fine (with a valid authentication cookie.)

==> Read More

No comments:

Post a Comment

Support : Relax Viet
Copyright © 2013. Security24h - All Rights Reserved
Design by Namkna
Best View Resolution 1024 x 768 pixel