Complete Application pwnage via Multi-POST XSRF

  • Webcast Aired Friday, 09 Oct 2015 1:00PM EDT (09 Oct 2015 17:00 UTC)
  • Speaker: Adrien de Beaupre

This talk will discuss the risk posed by Cross Site Request Forgery (CSRF or XSRF) which is also known as session riding, or transaction injection. Many applications are vulnerable to XSRF, mitigation is difficult as it may require re-engineering the entire application, and the threat they pose is often misunderstood. A live demo of identifying the vulnerability, and exploiting it by performing multiple unauthorized transactions in a single POST will be demonstrated.