CSRF Bouncing†

Presented at DEF CON 16 (2008), Aug. 9, 2008, 4 p.m. (50 minutes).

In this talk I will be discussing Exploit Chaining in Web Applications and CSRF. I will discuss the surface area problem in security and how to gain access to a l attack surface using CSRF. I will detail the process I used to find and exploit a vulnerability in a real world application. I will discuss how to have fun in a sandbox and defeating CSRF protection. I will also talk about the defenses against these attacks. I will be releasing an 0-day exploit and provide a machine for the audience to break into.


Presenters:

  • Michael Brooks - Security Engineer, Fruition Security
    Michael Brooks is a security researcher engaged in exploit development. Michael is interested in real world attacks as well as new methods of exploitation. He enjoy finding flaws in applications and writing exploit code. http://milw0rm.com/author/677 CVE's from Michael: CVE-2008-2019,CVE-2008-2020,CVE-2008-2043,CVE-2007-6471,CVE-2007-6459,CVE-2007-6458,CVE-2007-0134,CVE-2007-0132, CVE-2007-0130,CVE-2006-6781,CVE-2006-3208,CVE-2006-3207,CVE-2006-3206,CVE-2006-3205,CVE-2006-3204,CVE-2006-3203. Michael is a computer science student at Northern Arizona University. Michael has successfully worked in penetration testing as well as software quality control. Currently he works for http://fruitionsecurity.com/ as a security engineer and recently started the website: http://www.rooksecurity.com/

Links:

Similar Presentations: