Cross Site Request Forgery (CSRF) is a real threat to web users and their sessions. To quote from the OWASP web site: „CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.“ Combined with social engineering this is a very effective attack tool. Believe it or not, web sites prone to CSRF are very common. If your web developers do not know what „unique web form“ means, you will have to deal with CSRFs eventually. Paul Amar is a student of computer science, and at DeepSec 2013 he will present a framework to study and prototype CSRF interaction with web servers.
The tool presented is the Cross Site Request Forgeries Toolkit (CSRFT). It has been developed in Python and Node.JS. The configuration files are written in JSON. The CSRFT can be used to explore CSRF weaknesses. Paul will give you examples on how to use it, and he will show you that users do not need to be logged into a site in order to take advantage of those vulnerabilities. The real strength of the CSRFT is performing complex exploitation techniques using custom scenarios. There will be specially designed examples for the DeepSec audience.
If you are interested in securing web sites or do penetration testing, then you should attend Paul’s talk. Providing feedback, testing the CSRFT, and writing more examples is a way to contribute to the project. Let Paul know what you think.