Prevention Techniques: Cross-site request forgery (CSRF)

1. The best defense against CSRF attacks is unpredictable tokens, a piece of data that the server can use to validate the request, and which an attacker can’t guess. For example, an important request could contain a digest of the user’s session credential, which is different for every user. And, for a little extra security, add a timestamp to the token, to limit the window of opportunity, as shown in the POST body below:

  
POST http://fictitiousbank/transfer.cgi HTTP/1.1 
Host: fictitiousbank 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9) Gecko/2008052906 
Firefox/3.6.2 
Cookie: PHPSESSIONID=7757ADD8766d455NFJJ23875JBJKBFR from=35367021&to48412334&amount=5000&date=05072010&token=40E03EF45T443W20K4IC567HY4334DD44&timestamp=1184001456 
   

The tokens used should also be cryptographically very strong. 

2. Challenge-Response
Challenge-Response is another defense option for CSRF. The following are some examples of challenge-response options.

• CAPTCHA
• Re-Authentication (password)
• One-time Token

While challenge-response is a very strong defense to CSRF (assuming proper implementation), it does impact user experience. For applications in need of high security, tokens (transparent) and challenge-response should be used on high risk functions 

3. Limit the time for which the user’s credentials are valid. By enforcing inactivity timeouts, you reduce chances of CSRF attacks. 

4. Password re-verification should be given priority over single-sign on. In this method, the users must type in their passwords again when accessing particularly critical functions.
5. Client/User Prevention
Since CSRF vulnerabilities are reportedly widespread, it is recommended to follow best practices to mitigate risk. Some mitigating include:

• Logoff immediately after using a Web application
• Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login
• Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing).
• The use of plugins such as No-Script makes POST based CSRF vulnerabilities difficult to exploit. This is because JavaScript is used to automatically submit the form when the exploit is loaded. Without JavaScript the attacker would have to trick the user into submitting the form manually.

Cross-site request forgery (CSRF)

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF . Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email or chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is the administrator account, a CSRF attack can compromise the entire web application.

Example Cross-site request forgery
I just bought a new home wireless router. Like most wifi routers, it’s configured through a web interface. The router was shipped to me with an internal IP address of 192.168.1.1. I’m having trouble configuring the router though, and fortunately the folks over at somemalicioussite.com have published a guide that shows me exactly what buttons to click in the router interface to get everything set up securely. The attackers have also set up a proxy server at 123.45.67.89 that will log all traffic that goes through it and look for things like passwords and session tokens.
As I clicked through the configuration guide, I missed the 1x1 pixel image that failed to load:
<img src=”http://192.168.1.1/admin/config/outsideInterface?nexthop=123.45.67.89” alt=”pwned” height=”1” width=”1”/>
The attackers knew that when I was reading their tutorial, I would be logged into the router interface. So they had the CSRF attack set up in the tutorial. With that request, my router would be reconfigured so that my traffic will be routed to their proxy server where they can do all manner of bad things with it.
Difference between CSRF and XSS
The fundamental difference between CSRF and XSS is that cross-site scripting (XSS), is designed to exploit the trust the user has for a particular site whilst CSRF aims to exploit the trust that a website has in the visitor’s browser
Tools to test Cross-site request forgery
WebScarab Spider http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
CSRF Tester http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project
Cross Site Requester http://yehg.net/lab/pr0js/pentest/cross_site_request_forgery.php
In the next part of this article we will discuss about the Prevention from Cross-site request forgery (CSRF)

Missing Function Level Access Control

When developers create web interfaces, they have to restrict which users can see various links, buttons, forms, and pages. Developers usually get this right because it is very visible. Unfortunately, making it pretty doesn’t make it secure. Developers often forget that they also have to put access controls in the business logic that actually performs business functions.

Example Missing Function Level Access Control
On my bank’s website, the clerk has a link in his navigation bar to manage the client accounts. The client can’t see that link because clients are not allowed to access this section. But the item in the menu exists in the code, it is simply hidden dynamically using a Javascript function. By analyzing the HTML code, an attacker can easily find the URL to the account management section. And as the access to this section is not controlled, thus the attacker can steal a lot of sensitive data (personal information, account data). Moreover, functions available in that account management section for clerks is not controlled either. The attacker can then transfer money to his own account. And hopefully, the attacker’s actions are not logged.
Attack Vectors Missing Function Level Access Control
Authorized user changes a URL or parameter to a privileged function.
Anonymous users could access private functions that aren’t protected.
Possible Consequences Missing Function Level Access Control
Compromised user accounts.
Compromised administrative accounts.
Unauthorized use of privileged Functionality.
Prevention Missing Function Level Access Control
Implement checks in the controller or business logic.
Don’t hard code and Audit
Deny all access by default, requiring explicit grants to specific roles for access to every function

Top Hacking Tools as Password Cracker

Number one of the biggest security holes are passwords, as every password security study shows.
Password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. Password cracking isn't done by trying to log in to, say, a bank's website millions of times; websites generally don't allow many wrong guesses, and the process would be unbearably slow even if it were possible. The cracks always take place offline after people obtain long lists of "hashed" passwords, often through hacking.

Below are the top Hacking Tools used as a Password cracker

Cain & Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.

HYDRA

THC Hydra is a fast and flexible Network Login Hacking Tool. It uses a dictionary attack to try various password/login combinations against an Internet service to determine a valid set of login credentials. It supports a wide set of protocols including Mail (POP3, IMAP, etc.), Databases, LDAP, SMB, VNC, and SSH.

Ophcrack

Ophcrack is a free open source (GPL licensed) program that cracks Windows passwords by using LM hashes through rainbow tables. The program includes the ability to import the hashes from a variety of formats, including dumping directly from the SAM files of Windows. On most computers, ophcrack can crack most passwords within a few minutes.

John the Ripper

John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

• Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
• Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
• Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Top Hacking Tools for Exploitation

A good Exploitation tool is a framework of several services and tools not only limited to identify a vulnerable remote host and all the attacks we can perform on that particular remote host but actually exploit the host, offering a shell or various other functions on the remote host.  Below are the Top Hacking Tools for Vulnerability Exploitation.

Metasploit

Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their list of modules.

Core Impact Pro

Core Impact Pro is widely considered to be the most powerful exploitation tool available. Core Impact Pro is the most comprehensive software solution for assessing and testing security vulnerabilities throughout your organization.

•Endpoint systems

•Passwords and identities

•Mobile devices

•Wireless networks

•Web applications and services

•Network systems and devices

CANVAS

Immunity's CANVAS makes available hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development framework to penetration testers and security professionals worldwide. The strength of Canvas is that it provides one of the most flexible and powerful frameworks for exploitation, intrusion detection device testing, and exploit crafting. However, that very flexibility combined with its GUI makes.

OWASP Mantra - Security Framework

 A web application security testing framework built on top of a browser. Supports Windows, Linux and Macintosh.  Mantra has many built in tools to modify headers, manipulate input strings, replay GET/POST requests, edit cookies, quickly switch between multiple proxies, control forced redirects etc. This makes it good software for performing basic security checks and sometimes, exploitation.

BeEF

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser.

Tutorials, Cheat Sheet and Tools for Hacking

In the following tutorial we will learn how to hack anyone's computer and android mobile phone
Hacking Android phone using Metasploit
http://infosecaffairs.blogspot.in/2014/11/hacking-android-phone-using-metasploit.html
Hack anyone’s computer by using malicious PDF
http://infosecaffairs.blogspot.in/2014/11/hack-anyones-computer-by-using-malicious-PDF.html

Cheat sheets aren't only meant for programmers. Rather, with the number of things that they have to know, hackers often require cheat sheets too. When it comes to hacking, it's always good to have a few sheets. Below are the sheets you can use while hacking.
Google Dorks List for SQL injection
http://infosecaffairs.blogspot.in/2014/10/google-dorks-list-for-sql-injection_16.html
Remote file inclusion (RFI) dork list
http://infosecaffairs.blogspot.in/2014/11/remote-file-inclusion-rfi-dork-list.html
Sqlmap cheat sheet
http://infosecaffairs.blogspot.in/2014/10/sqlmap-cheat-sheet.html
Password Cracking: Dictionary Attack Password List
http://infosecaffairs.blogspot.in/2014/10/password-cracking-dictionary-attack-Password-List.html

As an information security professional, your toolkit is the most critical item you can possess. Following are the tools and applications you can use while hacking
Penetration Testing Apps for Android Devices
http://infosecaffairs.blogspot.in/2014/09/penetration-testing-apps-for-android.html
Tools to hack WiFi
http://infosecaffairs.blogspot.in/2014/11/tools-to-hack-wifi.html
DDOS Attack and Free Tools for DDOS
http://infosecaffairs.blogspot.in/2014/10/ddos-attack-and-tools-for-ddos.html 
Top Hacking Tools as Password Cracker
http://infosecaffairs.blogspot.in/2015/08/top-hacking-tools-as-password-cracker.html
Top Hacking Tools for Exploitation
http://infosecaffairs.blogspot.in/2015/08/top-hacking-tools-for-exploitation.html

Sensitive Data Exposure Vulnerabilities

Sensitive data exposure vulnerabilities can occur when an application does not adequately protect sensitive information from being disclosed to attackers. For many applications this may be limited to information such as passwords, but it can also include information such as credit card data, session tokens, or other authentication credentials.
Example
Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this means it also decrypts this data automatically when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. The system should have encrypted the credit card numbers using a public key, and only allowed back-end applications to decrypt them with the private key.
Scenario #2: A site simply doesn’t use SSL for all authenticated pages. Attacker simply monitors network traffic (like an open wireless network), and steals the user’s session cookie. Attacker then replays this cookie and hijacks the user’s session, accessing the user’s private data.

Testing of Sensitive data exposure vulnerabilities
The first thing you have to determine is which data is sensitive enough to require extra protection. For example, passwords, credit card numbers, health records, and personal information should be protected. For all such data:
*Is any of this data stored in clear text long term, including backups of this data?
*Is any of this data transmitted in clear text, internally or externally? Internet traffic is especially dangerous.
*Are any old / weak cryptographic algorithms used?
*Are weak crypto keys generated, or is proper key management or rotation missing?
*Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser?
Prevention of Sensitive data exposure vulnerabilities
· Encrypt all sensitive data at rest and in transit in a manner that defends against these threats.
· Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data you don’t have can’t be stolen.
· Disable auto complete on forms collecting sensitive data and disable caching for pages that contain sensitive data.