Cross-Site Request Forgery (CSRF)

Cross Site Scripting (XSS)

On the next slides we will learn about it.

 What is XSS Attack?
Exploits authenticated users to perform unauthorized actions and Requires user interaction via phishing or spoofing.

Security isn't something you

buy, it's something you do,
and it takes talented people to
do
Over it
40%
attacks.
right.
of all web applications are vulnerable to XSS

XSS is one of the top vulnerabilities listed in OWASP Top 10.

Millions of users affected annually due to data theft, session
hijacking, and more.
 Introduction to Cross-site scripting (XSS)

Cross-site scripting (XSS) is a type of

computer security vulnerability
typically found in web applications
that enables malicious attackers to
inject client-side script into web pages
viewed by other.
Takes about 52 days to fix an XSS holes
10-25 XSS holes are found in commercial products every month
During an attack "everything looks fine"
to the end user, but in actuality they are subject to an endless
amount of threats
 Attacker intentions
Why are hackers doing this, and what are the penalties?

Hijacking Accounts Changing of user settings

False Advertising Recovery

stealing other user's cookies

Redirecting to other websites

 Methodology
Let us look into how this works with a simple example of a search feature on
website.
 Types of XSS attacks
Types of XSS: Stored XSS, Reflected XSS , DOM-based XSS

Reflected
Stored XSS
XSS
The most damaging type of XSS is The second and the most common
Stored XSS (Persistent XSS). An type of XSS is Reflected XSS - the
attacker uses Stored XSS to inject attacker’s payload has to be a part
malicious content (referred to as the of the request that is sent to the
payload). web server.
DOM-based
XSS
DOM-based XSS is an advanced XSS
attack. It is possible if the web
application’s client-side scripts write
data provided by the user to the
Document Object Model (DOM).
 Steps for XSS Attack (Stored XSS) Non-
Persistent
The user comes in contact with a
malicious link, form, or a malicious
redirection. The Web application is
requested prepared the call by the
Bank.
The Web application is requested prepared
the call by the Bank.
The XSS-code is an XSS vulnerability of
the banking application, inserted into
the page.
The infected page with XSS code is sent to
the user.
The XSS-code context of the page arrived at
the user and thus bypassing the "Same
Origin" security setting of the Web browser.

XSS-code sends stolen data to the server of

the attacker.
 Steps for XSS Attack (Reflected XSS)
Persistent
The Web application of the bank is
called with the XSS code.
The malicious code enters into an XSS
vulnerability in the application and is stored
there.
A user calls the Web application of the
Bank. The malicious code is installed
from the memory to the website.

The infected Web page is sent to the user.

The XSS code context of the page arrived at
the user, and thus bypassing the "Same
Origin" security setting of the Web browser.

The XSS code sends stolen data to the server

of the attacker.
 Steps for XSS Attack (DOM-based XSS) Dom-
Based
The Web application is requested by the
Bank prepared the call.
The XSS-code inserted in the cookie. The
cookie with the malicious code is sent to the
user and stored with him.
The user calls the Web application of the
Bank.
The malicious code is installed from the
cookie in the Web page.

The infected Web page is sent to the

user.

The XSS code sends stolen data to the server

of the attacker.
Existing Methods To solve XSS problems

track untrusted data at the

character level.
Static Analysis

Preventing XSS Using Untrusted

Software Testing Techniques
Scripts. Software Testing
(black-box testing)
Techniques (black-box testing)
 How To Protect Against XSS problems

Never trust Input & Always filter meta-

characters.
View material only from official websites
▪ It will eliminate almost 90% of
problems.
Be cautious when reading emails,
discussion boards, posts, etc.

Turn off JavaScript in browser settings.

In IE, turn security settings on high.

Custom tag Libraries.

 Conclusion
XSS is defined as the number one and utmost prevalent website vulnerability on
the internet

No one is ever completely safe from XSS

▪ Can not be expected to write flawless code or have round the clock personnel
to answer all possible vulnerability issues

As XSS vulnerabilities continue to grow, the best way to protect yourself from it
is to be careful and be aware of its existence
 References
https://learn.snyk.io/lesson/csrf-attack/?loc=learn

https://www.slideshare.net/slideshow/csrf-basics-14161022/14161022#1

https://www.slideshare.net/slideshow/xss-attack/120995223#7

https://www.slideshare.net/slideshow/crosssite-scripting-xss/51281902

https://www.slideshare.net/slideshow/cross-site-scripting-xss/5154250

https://www.slideshare.net/slideshow/cross-site-scripting-47195692/47195692

https://www.slideshare.net/slideshow/understanding-csrf/22270496#6

https://www.acunetix.com/websitesecurity/xss/#:~:text=Types%20of%20XSS%3A
%20Stored%20XSS,attacker%20to%20impersonate%20the%20victim
 Thank You!

Beware of XSS Mosquito!

 Introduction
Cross site request forgery
(CSRF)
Cross-Site Request Forgery (CSRF): attacks occur when a malicious web
site causes a user’s web browser to perform an unwanted action on a
trusted site. These attacks have been called the “sleeping giant” of
web-based vulnerabilities , because many sites on the Internet fail to
protect against them and because they have been largely ignored by
the web development and security communities. CSRF attacks do not
appear in the Web Security Threat Classification and are rarely
discussed in academic or technical literature. CSRF attacks are simple to
diagnose, simple to exploit and simple to fix. They exist because web
developers are uneducated about the cause and seriousness of CSRF
attacks. Web developers also may be under the mistaken impression
that defenses against the betterknown Cross-Site Scripting (XSS)
 Cross site request forgery (CSRF)
What is CSRF?
Cross site request forgery (CSRF) is a vulnerability where an
attacker performs actions while impersonating another user.
For example, transferring funds to an attacker’s account,
changing a victim’s email address, or they could even just
redirect a pizza to an attacker’s address!
Some form of social engineering, like phishing or spoofing, is
usually required for this kind of attack to be successful. The
attacker typically needs to trick the user into visiting a
malicious website for the attack to take place. This malicious
website would then contain a request to the targeted website.
If the user is authenticated by the targeted website, the
request is executed. This attack works because the user's
cookies are automatically included in the modified request to
a legitimate application. CSRF vulnerabilities occur when
vulnerable web apps simply trust the cookies sent by web
browsers without further validation.
Cross site request forgery (CSRF)
Authentication and CSRF:
CSRF attacks often exploit the authentication mechanisms of targeted
sites. The root of the problem is that Web authentication normally
assures a site that a request came from a certain user’s browser; but it
does not ensure that the user actually requested or authorized the
request.
In general, whenever authentication happens implicitly—because of
which site a request is being sent to and which browser it is coming
from—there is a danger of CSRF attacks. In principle, this danger could
be eliminated by requiring the user to take an explicit, unspoofable
action (such as re-entering a username and password) for each request
sent to a site, but in practice this would cause major usability problems.
The most standard and widely used authentication mechanisms fail to
prevent CSRF attacks, so a practical solution must be sought elsewhere.
Cross site request forgery (CSRF)
CSRF Attack Vectors:

For an attack to be successful, the user must be logged-in to

the target site and must visit the attacker’s site or a site over
which the attacker has partial control. If a server contains
CSRF vulnerabilities and also accepts GET requests , CSRF
attacks are possible without the use of JavaScript (for
example, a simple <img> tag can be used). If the server only
accepts POST requests, JavaScript is required to
automatically send a POST request from the attacker’s site
to the target site.
 Cross site request forgery (CSRF)
CSRF vs. XSS:
CSRF and XSS attacks differ in that XSS attacks require
JavaScript, while CSRF attacks do not. XSS attacks require
that sites accept malicious code, while with CSRF attacks
malicious code is located on third-party sites. Filtering user
input will prevent malicious code from running on a
particular site, but it will not prevent malicious code from
running on third-party sites. Since malicious code can run
on third-party sites, protection from XSS attacks does not
protect a site from CSRF attacks. If a site is vulnerable to
XSS attacks, then it is vulnerable to CSRF attacks. If a site is
completely protected from XSS attacks, it is most likely still
vulnerable to CSRF attacks.
 Mitigation Techniques for CSRF Attacks:
General Strategies for Mitigation:
1- Anti-CSRF Tokens: Always include unique,
session-bound tokens in requests.

2- SameSite Cookies: Restrict cookies from being

sent with cross-origin requests.

3-Origin and Referer Header Validation: Verify that

requests originate from trusted sources.

4-User Confirmation: Add re-authentication or

CAPTCHA for sensitive actions.

5- Security Patches: Regular updates and audits to

address potential flaws.
Mitigation Techniques for CSRF Attacks:

Anti-CSRF Tokens:
Description:
Include a unique, unpredictable token in requests sent to the server.

How It Works:
 The server generates a token and includes it in a form or HTTP request.
 When the request is submitted, the token is sent back to the server for
verification.
 If the token is missing or invalid, the request is rejected.
Implementation:
Many modern frameworks (e.g., Django, Spring Security) provide
built-in CSRF token mechanisms.
 Mitigation Techniques for CSRF Attacks:
SameSite Cookies:
Description:
Use the SameSite attribute for cookies to restrict cross-
origin requests.

How It Works:
SameSite cookies are a security feature that controls whether a
cookie is sent with cross-origin requests. By setting the SameSite
attribute on cookies, web applications can protect themselves
from attacks like CSRF.
SameSite=Lax: Cookies are sent only for top-level navigations and
GET requests.
SameSite=Strict: Cookies are never sent for cross-origin requests.

Why It’s Useful

1-Stops attackers from using your cookies in fake requests sent
from other sites.
2- Ensures cookies are sent only when intended, reducing security
risks.
Mitigation Techniques for CSRF Attacks:

User Authentication for Critical Actions:

Description:
Require users to authenticate again for sensitive
operations, such as changing passwords or transferring
money.

How It Works:
Prompt users to re-enter their credentials or
provide an OTP before executing critical
actions.
Conclusion •CSRF attacks exploit the trust between users and web
applications, making them a serious threat to data integrity
: and user privacy. By implementing robust security measures,
such as anti-CSRF tokens, SameSite cookies, and secure
Protecting headers, developers can effectively safeguard their
applications.
Against •Key takeaways:
CSRF 1.Always validate user actions with unique tokens.
Attacks 2.Use modern cookie attributes like SameSite to limit cross-
origin risks.
3.Educate users about safe online practices.
•Security is an ongoing process. Regular audits, updates, and
awareness are essential to staying ahead of potential threats.
Protecting against CSRF not only secures your application but
also builds trust with your users.
 References
• https://learn.snyk.io/lesson/csrf-attack/?loc=learn
• https://www.slideshare.net/slideshow/csrf-basics-14161022/1416102
2#1
• https://www.slideshare.net/slideshow/understanding-csrf/22270496#
6
• https://people.eecs.berkeley.edu/~daw/teaching/cs261-f11/reading/c
srf.pdf
 CLOSING SLIDE

CYBER ATTACK
Thank You For Listening
Done By : Seif & Rakan