Surf's Up! Exploring Cross Site Request Forgery (CSRF) through Social Network Exploitation

Presented at The Next HOPE (2010), July 17, 2010, 4 p.m. (60 minutes)

Web application security has progressed by leaps and bounds since first being discussed in the early 2000s. XSS, SQLi, Directory Traversals, and other traditional attacks are becoming more widely understood by a greater demographic of developers. Unfortunately, we are just scratching the surface. There still exists a great number of attack vectors that are ignored. Cross Site Request Forgery is a prime example of this. It is a simple technique with powerful implications ranging from denial of service and firewall bypass to full blown site compromise. The theory of CSRF will be presented here in simple to understand terms. An example of a virulent exploit of a real world social networking site (Vampirefreaks.com) using CSRF will also be shown.

Presenters:

• Daniel McCarney
  Daniel McCarney is a bizarre combination of stereotypes, backgrounds, and interests ranging from counter culture to artificial intelligence. Interested in a career of lifelong learning, Daniel considers knowledge a weapon and aims to arm you and himself.

Links:

• https://infocon.org/cons/2600/The Next Hope (2010)/The Next HOPE (2010) - Surf s Up Exploring CSRF through Social Network Exploitation.srt (subtitles)
• https://infocon.org/cons/2600/The Next Hope (2010)/The Next HOPE (2010) - Surf s Up Exploring CSRF through Social Network Exploitation.mp4
• https://www.youtube.com/watch?v=eCrLqwY86XA

Similar Presentations:

• Notacon 10 (2013) / Let's Go CSRF'n Now!
• RVAsec 2019 / Introduction to CSRF
• ToorCon San Diego 18 (2016) / CSRF in the Modern Age: Sidestepping the CORS Standard