Changes

From Security Weekly Wiki
Jump to navigationJump to search
2,071 bytes added ,  22:16, 7 October 2010
no edit summary
<center>[[File:NiktoNessus.png]]</center>
 
= Tech Segment 2!!: XSRF Scanning with Pinata! =
 
One of the harder issues to test for is Cross Site Request Forgery.  The reason it is so hard to test for is it is not a simple stimulus and response game.  For example, if i put in ' into a field and I get a 500 error I know there may be some level of SQLi at play.  The same holds true for Cross Site Scripting.  I send in <IMG SRC="javascript:alert('XSS');">  and it is reflected to my browser I am pretty sure there is XSS. 
 
But how can you easily detect CSRF?  The simple answer is you cant. But that is a good thing.  In fact it is wonderful. Here is why this is so good for all of us, it wont be automated in the near future.  Why?  Well it requires the tester to have some level of understanding about how the application works. You need to see how an application does things like: adding a user, transfers funds, open ports in a firewall.   What are the requests that create these conditions and, with many applications, where are the indications that the request was successful.  Sometimes it is easy.  Sometimes the page will respond automatically.  Other times...  Well, other times you may need to navigate to a completely different part of the application to see if the request was successful.    The beautiful thing is this is exactly what you should be doing for logic testing as well.
 
Since many automated tools cannot do this well, how can we approach testing CSRF?  First, find those sections of an application that deal with transactions.  Next, make those requests through a proxy where they can be intercepted.  Finally, create a page, that when visited, triggers the same request.  Pinata is an excellent tool to help with this process.  Well.. At least with the last step.  With Pinata you copy the request that was made into a file, then Pinata will convert it into a .html file that you can load and see if the attack launches. 
 
For the business logic, you still nee to find that on your own.
 
{{#ev:youtube|EmmNn1FRYm4}}
 
-strandjs (Fr. John)
 
= Guest Interview: Brian Honan =
66

edits

Navigation menu