1
00:00:10,440 --> 00:00:15,130
In the last lecture, we had a brief introduction to cross site request forgery.

2
00:00:15,510 --> 00:00:18,590
We saw what is if and how it works.

3
00:00:18,960 --> 00:00:25,040
And in this practical, I will show you a brief overview of cross site request forgery, practical.

4
00:00:25,440 --> 00:00:30,930
Now, make sure that there is only one practical of CSR, because the higher level practicals requires

5
00:00:30,930 --> 00:00:34,050
a lot of coding and mixing of two to three concepts.

6
00:00:34,350 --> 00:00:39,980
At this point of view, you just need to understand what is CSR and how it works.

7
00:00:39,990 --> 00:00:42,440
That is the basic working of CSR.

8
00:00:42,450 --> 00:00:49,840
If so, let us go to our polyclinics machine and logging into our down vulnerable application.

9
00:00:50,040 --> 00:00:54,360
So as you can see, I have logged into maasdam vulnerable web application.

10
00:00:54,430 --> 00:00:57,970
Let's first go to set up and create and reset the set up.

11
00:00:58,020 --> 00:01:02,880
Now, I have installed currently I installed TBWA in my machine.

12
00:01:02,880 --> 00:01:06,560
You can see we do not need the metastable for this practical.

13
00:01:06,930 --> 00:01:15,320
Now let us set the security level to low, because this practical is just to show you how CSR folks,

14
00:01:15,330 --> 00:01:16,830
that is a proof of concept.

15
00:01:16,830 --> 00:01:19,770
To understand the working conditions, go to CSR.

16
00:01:19,770 --> 00:01:26,280
If the you know, the basic working of CSR, it is like a tiger sends the malicious links to user.

17
00:01:26,280 --> 00:01:32,670
And when user clicks, that link attacker executes the operations which he wanted to execute.

18
00:01:32,670 --> 00:01:34,590
But the user not wish to interrupt.

19
00:01:35,040 --> 00:01:40,320
So now let's say I am attacker and I have changed my password.

20
00:01:40,470 --> 00:01:49,090
I will give my new password as a letter, say my whole name, my mercy, and Abi and I will confirm

21
00:01:49,090 --> 00:01:49,860
my password.

22
00:01:50,550 --> 00:01:56,730
So in our case, Chima is the attacker and let's say Yosh is the victim, so I will change.

23
00:01:57,390 --> 00:02:05,550
And yes, you can see in the euro that the new password is Jemiah and the new password is also change.

24
00:02:06,000 --> 00:02:11,040
Now what I will do, I will select this and I will copy this whole request.

25
00:02:11,790 --> 00:02:17,550
Right now I'm the attacker now I will go and I will start text editor.

26
00:02:18,800 --> 00:02:23,010
And here I will be telling them what I want.

27
00:02:23,030 --> 00:02:24,610
I want to take over of you.

28
00:02:24,620 --> 00:02:26,500
I want to take over your account.

29
00:02:26,840 --> 00:02:30,950
So what I will do, I will change the password here, that is.

30
00:02:30,950 --> 00:02:32,720
Yes, I will change it here.

31
00:02:34,730 --> 00:02:41,300
I will change it to yosh one, two, three, and I will again change the new password.

32
00:02:42,540 --> 00:02:44,680
Two years, one, two, three.

33
00:02:45,100 --> 00:02:50,490
No, I haven't changed the password of my own system, I'm just changing the parameters in this request.

34
00:02:50,880 --> 00:02:52,860
I will copy this request.

35
00:02:54,950 --> 00:02:58,830
And I will somehow send this request to you.

36
00:02:59,420 --> 00:03:05,000
Now, what I will do is I will show you how can I send I will go to you are else shortener.

37
00:03:07,150 --> 00:03:15,820
OK, I will just click a random first link and I will paste my original crafted link here so you can

38
00:03:15,820 --> 00:03:19,030
see I will post it here and you can see new password is.

39
00:03:19,030 --> 00:03:19,340
Yes.

40
00:03:19,360 --> 00:03:22,300
And confirm password is yosh Al Sharpton.

41
00:03:22,630 --> 00:03:24,430
And they go, I have got the new link.

42
00:03:24,430 --> 00:03:26,320
I will copy this link.

43
00:03:26,740 --> 00:03:34,870
And then what I will do is I will mail you saying that, hey, yo, check this cool Nike T-shirt and

44
00:03:34,870 --> 00:03:40,090
it's just at 599 rupees and Youngsville, click that link, OK?

45
00:03:40,090 --> 00:03:42,060
And let us see what happens now.

46
00:03:42,060 --> 00:03:45,790
I will take the original link here again to show how it works.

47
00:03:47,950 --> 00:03:48,550
Now.

48
00:03:49,910 --> 00:03:57,590
Let us see yours, Josh has I will paste the link here now, since here when a vengeful click that link,

49
00:03:57,800 --> 00:03:59,300
the link will appear like this.

50
00:03:59,300 --> 00:04:02,150
And when I will hit enter, I will perform as you wish.

51
00:04:02,360 --> 00:04:03,890
So I will just hit enter.

52
00:04:04,160 --> 00:04:09,830
What was my password when my password was the password of durably that is password.

53
00:04:10,130 --> 00:04:14,690
And whenever I hit enter you can see I have got a message password changed.

54
00:04:15,500 --> 00:04:18,260
But now Yoshie surprised you.

55
00:04:18,320 --> 00:04:23,810
I had actually told you that it was a Nike cool T-shirt, but yosh got an error message saying your

56
00:04:23,810 --> 00:04:26,130
password has been changed now.

57
00:04:26,990 --> 00:04:27,540
Oh yes.

58
00:04:27,560 --> 00:04:31,100
You log out and he will just tell me that something has happened.

59
00:04:31,100 --> 00:04:38,600
But here as an attacker, I am into your login page, so I will just type admin because I know your

60
00:04:38,810 --> 00:04:40,540
user name, but I do not know the password.

61
00:04:40,850 --> 00:04:43,860
But now, since Yosh is a victim of these R.F..

62
00:04:43,880 --> 00:04:49,580
Now, since you click that link now, I will try to use the password which I changed.

63
00:04:49,580 --> 00:04:52,430
The password was yosh one, two, three.

64
00:04:52,900 --> 00:04:54,440
I will click login.

65
00:04:54,710 --> 00:04:55,550
There you go.

66
00:04:55,940 --> 00:04:58,130
I have the overview.

67
00:04:58,130 --> 00:05:01,460
I have successfully hacked your account now.

68
00:05:01,460 --> 00:05:03,340
Did you want to change the password?

69
00:05:03,470 --> 00:05:03,830
No.

70
00:05:04,780 --> 00:05:08,470
He just clicked that link and the password got reset.

71
00:05:08,770 --> 00:05:09,670
This is how.

72
00:05:11,720 --> 00:05:14,160
Cross site request forgery works.

73
00:05:14,360 --> 00:05:22,340
The main task here is just to send the request, send a link to the victim now security expert in this

74
00:05:22,340 --> 00:05:26,000
case, it was very easy because it was at low security level.

75
00:05:26,240 --> 00:05:29,800
But when it comes to secure applications now, what is the flaw?

76
00:05:29,810 --> 00:05:31,570
If you understand what is the flaw here?

77
00:05:31,580 --> 00:05:38,210
It didn't check for the S.A.T., but when the applications are more secure than ever, I will try to

78
00:05:38,210 --> 00:05:41,870
login with or whenever he or she will try to click that link.

79
00:05:42,050 --> 00:05:49,420
The browser will first ask you to login that his own password and then he will execute that link.

80
00:05:49,460 --> 00:05:53,430
But in our case, when you click the link, the password got changed.

81
00:05:53,690 --> 00:05:54,890
This is a major flaw.

82
00:05:54,890 --> 00:06:02,680
And if you want to prevent this SRF, you need to implement a set of tokens where station IDs are preserved.

83
00:06:03,140 --> 00:06:07,730
So I just wanted to show you how Kesari folks and what they see as Ariff.

84
00:06:08,000 --> 00:06:12,020
And that is why a cybersecurity awareness is very important.

85
00:06:12,020 --> 00:06:16,610
You cannot just click random links in your email or in your text messages.

86
00:06:16,640 --> 00:06:18,400
You need to be aware of what happens.

87
00:06:19,280 --> 00:06:22,910
The applications like e-commerce, like Amazon, Flipkart.

88
00:06:23,960 --> 00:06:30,200
If you try and do the same thing, they won't execute because there are ITCZ of tokens which check the

89
00:06:30,590 --> 00:06:34,730
idea of the user who is currently logged in or wants to log in again.

90
00:06:35,030 --> 00:06:40,850
So whenever he will try to execute the same link and Flipkart, Flipkart server will say, hey, this

91
00:06:40,850 --> 00:06:46,130
is not matching professionality and hence I cannot allow you to execute the request.

92
00:06:46,280 --> 00:06:52,460
And in this way, these are Ifill's basically implementing ambitious larrieux tokens is one of the ways

93
00:06:52,610 --> 00:06:53,840
to prevent CSR.

94
00:06:54,990 --> 00:07:02,520
So I hope you have gotten a brief overview of how things are works and please do not use such tools

95
00:07:02,700 --> 00:07:08,880
on legal websites and as you, your IP can easily get back tracked and you can get compromised.

96
00:07:09,000 --> 00:07:13,930
These videos are just for educational purposes in the next lecture.

97
00:07:13,950 --> 00:07:20,880
We will see what else is that of counter measures and how to prevent against attacks using different

98
00:07:20,880 --> 00:07:21,540
techniques.