CMU540

WEB-CSRF-01 & WEB-CONFIG-01 - CSRF and Misconfiguration

Session 6

James Williams

jwilliams@staff.newman.ac.uk

Learning Objectives

Understand OWASP A04: CSRF and A05: Misconfiguration
Identify CSRF attack vectors and prevention methods
Learn secure design principles and configuration management
Practice vulnerability discovery using OS³ Studio
Implement secure CSRF protection and configuration
Explore career opportunities in security architecture

OWASP A04: CSRF & A05: Misconfiguration

CSRF: Cross-Site Request Forgery forces users to perform unwanted actions

Misconfiguration: Security misconfigurations expose applications to attacks

Key Areas:

CSRF token validation
Secure design principles
Configuration management
Default credentials and settings

CSRF Attack Scenario

Attack Flow:

<!-- VULNERABLE: No CSRF protection -->
<form action="/transfer" method="POST">
  <input name="amount" value="1000">
  <input name="to" value="attacker-account">
  <input type="submit" value="Transfer">
</form>
<!-- Malicious site -->
<img src="https://bank.com/transfer?amount=1000&to=attacker">

Impact: Unauthorized actions performed on behalf of authenticated users

CSRF Prevention Methods

1. CSRF Tokens

<!-- SECURE: CSRF token implementation -->
<form action="/transfer" method="POST">
  <input type="hidden" name="csrf_token" value="<?php echo $csrf_token; ?>">
  <input name="amount" value="1000">
  <input name="to" value="recipient-account">
  <input type="submit" value="Transfer">
</form>
<!-- Server validation -->
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
  die('CSRF token mismatch');
}

SameSite Cookie Protection

Implementation:

<!-- SECURE: SameSite cookie -->
Set-Cookie: sessionid=abc123; SameSite=Strict; Secure; HttpOnly
<!-- SameSite values -->
SameSite=Strict    // Never sent with cross-site requests
SameSite=Lax       // Sent with top-level navigation
SameSite=None      // Always sent (requires Secure flag)

Benefit: Prevents cookies from being sent with cross-site requests

Common Security Misconfigurations

1. Default Credentials

<!-- VULNERABLE: Default credentials -->
admin / admin
admin / password
root / root
guest / guest
<!-- SECURE: Strong credentials -->
admin / Kx9#mP2$vL8@nQ4
root / 7F&gH3*jK9#mN5$pR2

2. Debug Mode Enabled

<!-- VULNERABLE: Debug mode in production -->
DEBUG = True
<!-- SECURE: Debug mode disabled -->
DEBUG = False

Directory Traversal Vulnerabilities

Attack Example:

<!-- VULNERABLE: Directory traversal -->
<img src="<?php echo $_GET['file']; ?>">
<!-- Malicious request -->
GET /image.php?file=../../../etc/passwd
<!-- SECURE: Path validation -->
$file = basename($_GET['file']);
$path = '/safe/directory/' . $file;

Impact: Unauthorized access to sensitive files

Information Disclosure

Common Sources:

<!-- VULNERABLE: Error messages -->
Error: Database connection failed: mysql://root:password@localhost/db
<!-- VULNERABLE: Version disclosure -->
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/7.4.3
<!-- SECURE: Generic error messages -->
Error: An error occurred. Please try again later.

Career Opportunities in Security Architecture

Security Architecture Roles:

Security Architect: £60,000 - £120,000
Security Consultant: £50,000 - £100,000
DevSecOps Engineer: £45,000 - £90,000
Security Engineer: £40,000 - £80,000
Penetration Tester: £35,000 - £70,000

Skills Needed: Security architecture, Risk assessment, Compliance, System design

OS³ Newman Cyber Security Lab

WEB-CSRF-01 & WEB-CONFIG-01 Lab Environment

Our OS³ Studio provides hands-on experience with:

Vulnerable applications with CSRF flaws
Misconfigured systems and applications
Secure implementation challenges
Configuration management best practices

Access: Available through university portal

Practical Examples

Watch: CSRF and Misconfiguration Explained

See Moodle for supporting materials.

Understanding CSRF attacks and security misconfigurations

Web Demos and Tools

Security Testing Tools:

Burp Suite - Web application security testing
OWASP ZAP - Open source web app scanner
WebGoat - Vulnerable web application
PentesterLab - Hands-on security training
Hacker101 - Free security training

Case Study: GitHub CSRF Attack

2018 GitHub CSRF Vulnerability

Impact: Unauthorized repository access
Method: CSRF attack on GitHub's invitation system
Cause: Missing CSRF protection on invitation endpoints
Fix: Implemented CSRF tokens and SameSite cookies

Lesson: Even major platforms can have CSRF vulnerabilities

Summary: Common CSRF and Misconfiguration Issues

                    Key Vulnerabilities to Look For:
                    Missing CSRF protection
Default credentials and settings
Debug mode enabled in production
Directory traversal vulnerabilities
Information disclosure in errors
Insecure cookie settings
Missing security headers

                

Task 1: CSRF and Misconfiguration Discovery

Objective:

Use OS³ Studio to identify CSRF vulnerabilities and security misconfigurations in the lab environment.

Instructions:

Access the OS³ Studio vulnerable application
Test for CSRF vulnerabilities in forms
Look for default credentials
Check for debug mode and error disclosure
Test for directory traversal vulnerabilities
Examine cookie security settings
Document all findings with proof of concept
Prepare a vulnerability assessment report

Time: 45 minutes

Focus on systematic testing and thorough documentation

Break Time

15 Minutes

Take a break, ask questions, or catch up on the previous task.

Next: Secure implementation and Task 2

Secure CSRF Protection

1. Double Submit Cookie Pattern

<!-- SECURE: Double submit cookie -->
<script>
  function getCookie(name) {
    let value = "; " + document.cookie;
    let parts = value.split("; " + name + "=");
    if (parts.length == 2) return parts.pop().split(";").shift();
  }
  let csrfToken = getCookie('csrf_token');
  fetch('/api/transfer', {
    method: 'POST',
    headers: { 'X-CSRF-Token': csrfToken },
    body: JSON.stringify({amount: 100, to: 'account'})
  });
</script>

2. Origin Header Validation

<!-- SECURE: Origin validation -->
if ($_SERVER['HTTP_ORIGIN'] !== 'https://trusted-domain.com') {
  http_response_code(403);
  die('Invalid origin');
}

Secure Configuration Management

1. Environment-Based Configuration

<!-- SECURE: Environment configuration -->
# Production settings
DEBUG = False
SECRET_KEY = os.environ.get('SECRET_KEY')
DATABASE_URL = os.environ.get('DATABASE_URL')
ALLOWED_HOSTS = ['yourdomain.com']
# Development settings
DEBUG = True
SECRET_KEY = 'dev-key-only'
DATABASE_URL = 'sqlite:///dev.db'

2. Security Headers

<!-- SECURE: Security headers -->
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: default-src 'self'

Input Validation and Sanitization

1. Path Traversal Prevention

<!-- SECURE: Path validation -->
function validateFilePath($input) {
  // Remove directory traversal sequences
  $input = str_replace(['../', '..\\', '..\\\\'], '', $input);
  // Use basename to get only filename
  $filename = basename($input);
  // Validate against allowed files
  $allowedFiles = ['file1.txt', 'file2.pdf', 'image.jpg'];
  return in_array($filename, $allowedFiles);
}

2. Error Handling

<!-- SECURE: Generic error handling -->
try {
  $result = performOperation();
} catch (Exception $e) {
  // Log detailed error for debugging
  error_log($e->getMessage());
  // Show generic error to user
  echo "An error occurred. Please try again.";
}

Authentication and Authorization

1. Strong Password Policy

<!-- SECURE: Password validation -->
function validatePassword($password) {
  if (strlen($password) < 12) return false;
  if (!preg_match('/[A-Z]/', $password)) return false;
  if (!preg_match('/[a-z]/', $password)) return false;
  if (!preg_match('/[0-9]/', $password)) return false;
  if (!preg_match('/[^A-Za-z0-9]/', $password)) return false;
  return true;
}

2. Session Security

<!-- SECURE: Session configuration -->
session.cookie_httponly = 1
session.cookie_secure = 1
session.cookie_samesite = "Strict"
session.use_strict_mode = 1
session.gc_maxlifetime = 1800  // 30 minutes

Monitoring and Logging

1. Security Event Logging

<!-- SECURE: Security logging -->
function logSecurityEvent($event, $details) {
  $logEntry = [
    'timestamp' => date('Y-m-d H:i:s'),
    'event' => $event,
    'ip' => $_SERVER['REMOTE_ADDR'],
    'user_agent' => $_SERVER['HTTP_USER_AGENT'],
    'details' => $details
  ];
  error_log(json_encode($logEntry));
}

2. Anomaly Detection

Monitor failed login attempts
Track unusual access patterns
Alert on privilege escalation attempts
Monitor for suspicious file access

Compliance and Standards

1. Security Frameworks

OWASP Top 10: Web application security risks
NIST Cybersecurity Framework: Risk management
ISO 27001: Information security management
PCI DSS: Payment card industry standards

2. Best Practices

                    Implement defense in depth
Regular security assessments
Automated security testing
Incident response planning

                

Career Development in Security Architecture

Next Steps:

Advanced Certifications: CISSP, CISM, CISA
Specialized Training: Security architecture, Risk management
Hands-on Practice: Security assessments, Penetration testing
Industry Networking: Security conferences, meetups
Research: New attack techniques, Defense methods

Resources: OWASP | NIST | ISO

Task 2: Secure CSRF Protection and Configuration

Objective:

Use OS³ Studio to implement secure CSRF protection and fix configuration issues found in Task 1.

Instructions:

Access the OS³ Studio secure implementation environment
Implement CSRF token protection
Configure secure cookie settings
Remove default credentials and debug mode
Implement proper input validation
Add security headers
Test the secure implementation
Document the security improvements

Time: 45 minutes

Focus on implementing industry-standard security practices

Further Activity: Code Inspection

Advanced Students - Code Analysis:

For students with additional time, explore the source code to understand:

How CSRF protection is implemented
Configuration management practices
Error handling and logging mechanisms
Authentication and authorization systems
Security header implementation

Deliverable: Code review report with security recommendations

Session Summary

                    Key Takeaways:
                    CSRF attacks exploit user authentication
Security misconfigurations are common vulnerabilities
CSRF tokens and SameSite cookies provide protection
OS³ Studio provides hands-on vulnerability testing
Secure implementation requires multiple layers of protection
Career opportunities in security architecture are growing

                