Complete Application Ownage via Multi-POST XSRF

Expo Theatre (Hall G) October 20, 2015 - Feedback     

Bookmark and Share

Adrien de Beaupré

This talk will discuss the risk posed by Cross Site Request Forgery (CSRF or XSRF) which is also known as session riding, or transaction injection. Many applications are vulnerable to XSRF, mitigation is difficult as it often requires re-engineering the entire application, and the threat they pose is often misunderstood. A live demo of identifying the vulnerability, and exploiting it by performing multiple unauthorized transactions in a single POST will be demonstrated.