1 00:00:00,090 --> 00:00:07,170 ‫Another attack against session management mechanisms is cross site request forgery, CCF attack. 2 00:00:07,410 --> 00:00:14,880 ‫See, SRF is an attack that forces an end user to execute unwanted actions on a web application in which 3 00:00:14,880 --> 00:00:16,470 ‫she is currently authenticated. 4 00:00:17,100 --> 00:00:22,020 ‫In this attack, the attacker has no way to see the response to the forged request. 5 00:00:22,530 --> 00:00:31,200 ‫The attack scenario of CRF is as follows User visits his online banking website, which has CRF vulnerability. 6 00:00:31,500 --> 00:00:36,000 ‫He realizes that the website is a brand new interface he can't find. 7 00:00:36,000 --> 00:00:42,660 ‫The money transaction function in the new interface, opens a new tab on the browser and searches for 8 00:00:42,660 --> 00:00:46,260 ‫the words How to use the new interface of my bank. 9 00:00:46,410 --> 00:00:52,350 ‫He finds a website about the new interface of the bank, which is prepared for the attacker who already 10 00:00:52,350 --> 00:00:55,860 ‫knows about this SRF vulnerability of the bank website. 11 00:00:56,250 --> 00:01:02,850 ‫The page of the attacker's website contains a request to the bank website, and it's about the money 12 00:01:02,850 --> 00:01:06,960 ‫transfer from the user's first account to the attacker's account. 13 00:01:07,680 --> 00:01:13,650 ‫So when the user visits the attacker's website, he sends the money transfer request to the bank without 14 00:01:13,650 --> 00:01:14,400 ‫realizing it. 15 00:01:15,030 --> 00:01:18,030 ‫So there are three things we shouldn't miss in this scenario. 16 00:01:18,600 --> 00:01:19,110 ‫One. 17 00:01:19,740 --> 00:01:22,950 ‫The bank's website is vulnerable to see SRF. 18 00:01:23,960 --> 00:01:31,200 ‫To the user visits the attacker's Web site while he is logged in to the bank website and three. 19 00:01:31,280 --> 00:01:35,330 ‫The attacker won't see the response of the money transfer request. 20 00:01:35,810 --> 00:01:37,400 ‫Does he really need to see it? 21 00:01:37,790 --> 00:01:41,040 ‫He will see the response in his bank account so quickly. 22 00:01:41,060 --> 00:01:43,060 ‫How is this sees her vulnerability exploited? 23 00:01:43,070 --> 00:01:44,090 ‫Go too -- vulnerable. 24 00:01:44,090 --> 00:01:49,800 ‫Web application in oash broken web applications log in using admin admin credential quickly sees her 25 00:01:49,820 --> 00:01:50,500 ‫link on the menu. 26 00:01:50,510 --> 00:01:55,040 ‫We're on a page to change the password of the admin user and current passwords. 27 00:01:55,040 --> 00:01:55,790 ‫Not even asked. 28 00:01:56,000 --> 00:01:57,860 ‫So let's change a password, for example. 29 00:01:57,860 --> 00:01:58,760 ‫One to three. 30 00:02:01,020 --> 00:02:02,740 ‫Now log out and log in again. 31 00:02:02,790 --> 00:02:05,730 ‫We see that the password of the admin user is changed. 32 00:02:05,820 --> 00:02:07,530 ‫Now again, go to see surf page. 33 00:02:08,540 --> 00:02:10,640 ‫Great HTML file on the desktop. 34 00:02:12,080 --> 00:02:16,040 ‫This is a malicious website that a hacker tries to make the victim click on. 35 00:02:23,630 --> 00:02:27,080 ‫View the source of the sea surf page of Dam Vulnerable Web application. 36 00:02:28,990 --> 00:02:35,230 ‫Copy the part, which is to change the password and paste it in the HTML file you created on the desktop 37 00:02:35,680 --> 00:02:36,760 ‫with his example. 38 00:02:37,000 --> 00:02:42,100 ‫First, the victim needs to click a button to exploit CCRC vulnerability. 39 00:02:42,190 --> 00:02:43,690 ‫Clear the redundant parts. 40 00:02:44,410 --> 00:02:48,550 ‫It's not necessary, but this is just to purify the demo. 41 00:02:59,570 --> 00:03:01,490 ‫Phil, the request action clearly. 42 00:03:04,320 --> 00:03:10,920 ‫Change the input type is hidden because we don't want to display any field to the victim, give the 43 00:03:10,920 --> 00:03:18,750 ‫input value, for example, one one one one in both the new password field and the password confirmation 44 00:03:18,750 --> 00:03:19,140 ‫field. 45 00:03:19,470 --> 00:03:23,220 ‫Save the file while you're logged in to -- vulnerable web application. 46 00:03:23,820 --> 00:03:27,720 ‫Open a new tab on the browser and open the file you prepared. 47 00:03:27,990 --> 00:03:33,420 ‫You could open the file by dragging and dropping it onto the tab when you click the button. 48 00:03:34,110 --> 00:03:40,200 ‫You will see the password change page and the message, which says the password has been changed. 49 00:03:40,230 --> 00:03:45,540 ‫That means we succeeded to change the password of -- vulnerable web application from another website. 50 00:03:46,810 --> 00:03:52,870 ‫Now, if you try to log in to dam vulnerable web application using one two three, you cannot because 51 00:03:52,870 --> 00:03:56,140 ‫hackers changed the password to one one one one. 52 00:03:56,890 --> 00:04:01,990 ‫So with a little help of scripting, we can eliminate the button phase easily. 53 00:04:01,990 --> 00:04:05,830 ‫So a simple visit of the victim will be enough to change the password. 54 00:04:11,330 --> 00:04:13,850 ‫Give an idea name to the action. 55 00:04:21,970 --> 00:04:27,100 ‫Changed the password to understand if the attack succeeds, for example one. 56 00:04:28,550 --> 00:04:30,890 ‫Make the change input type hidden. 57 00:04:31,670 --> 00:04:36,380 ‫Now let's write the script code, which triggers the action we wrote. 58 00:04:44,180 --> 00:04:45,020 ‫Save the file. 59 00:04:45,980 --> 00:04:51,590 ‫When you're logged in to -- vulnerable Web application, open a new tab on the browser and open the 60 00:04:51,590 --> 00:04:57,020 ‫file you prepared again, you can open the file by dragging and dropping it onto the tab. 61 00:04:57,650 --> 00:05:04,040 ‫In this case, you will see the message password changed as soon as you open the page when you want 62 00:05:04,040 --> 00:05:05,810 ‫to log into the application again. 63 00:05:05,840 --> 00:05:09,890 ‫You will see that the password is no longer one one one one.