Tech

Complete Application Ownage via Multi-POST XSRF


Expo Theatre (Hall G) October 20, 2015 - Feedback   

Bookmark and Share

Adrien de Beaupré

This talk will discuss the risk posed by Cross Site Request Forgery (CSRF or XSRF) which is also known as session riding, or transaction injection. Many applications are vulnerable to XSRF, mitigation is difficult as it often requires re-engineering the entire application, and the threat they pose is often misunderstood. A live demo of identifying the vulnerability, and exploiting it by performing multiple unauthorized transactions in a single POST will be demonstrated.