CMU540

WEB-CSRF-01 & WEB-CONFIG-01 - CSRF and Misconfiguration

Session 6

James Williams

jwilliams@staff.newman.ac.uk

Learning Objectives

  • Understand OWASP A04: CSRF and A05: Misconfiguration
  • Identify CSRF attack vectors and prevention methods
  • Learn secure design principles and configuration management
  • Practice vulnerability discovery using OS³ Studio
  • Implement secure CSRF protection and configuration
  • Explore career opportunities in security architecture

OWASP A04: CSRF & A05: Misconfiguration

CSRF: Cross-Site Request Forgery forces users to perform unwanted actions

Misconfiguration: Security misconfigurations expose applications to attacks

Key Areas:

  • CSRF token validation
  • Secure design principles
  • Configuration management
  • Default credentials and settings

CSRF Attack Scenario

Attack Flow:

<!-- VULNERABLE: No CSRF protection -->
<form action="/transfer" method="POST">
  <input name="amount" value="1000">
  <input name="to" value="attacker-account">
  <input type="submit" value="Transfer">
</form>
<!-- Malicious site -->
<img src="https://bank.com/transfer?amount=1000&to=attacker">

Impact: Unauthorized actions performed on behalf of authenticated users

CSRF Prevention Methods

1. CSRF Tokens

<!-- SECURE: CSRF token implementation -->
<form action="/transfer" method="POST">
  <input type="hidden" name="csrf_token" value="<?php echo $csrf_token; ?>">
  <input name="amount" value="1000">
  <input name="to" value="recipient-account">
  <input type="submit" value="Transfer">
</form>
<!-- Server validation -->
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
  die('CSRF token mismatch');
}

SameSite Cookie Protection

Implementation:

<!-- SECURE: SameSite cookie -->
Set-Cookie: sessionid=abc123; SameSite=Strict; Secure; HttpOnly
<!-- SameSite values -->
SameSite=Strict    // Never sent with cross-site requests
SameSite=Lax       // Sent with top-level navigation
SameSite=None      // Always sent (requires Secure flag)

Benefit: Prevents cookies from being sent with cross-site requests

Common Security Misconfigurations

1. Default Credentials

<!-- VULNERABLE: Default credentials -->
admin / admin
admin / password
root / root
guest / guest
<!-- SECURE: Strong credentials -->
admin / Kx9#mP2$vL8@nQ4
root / 7F&gH3*jK9#mN5$pR2

2. Debug Mode Enabled

<!-- VULNERABLE: Debug mode in production -->
DEBUG = True
<!-- SECURE: Debug mode disabled -->
DEBUG = False

Directory Traversal Vulnerabilities

Attack Example:

<!-- VULNERABLE: Directory traversal -->
<img src="<?php echo $_GET['file']; ?>">
<!-- Malicious request -->
GET /image.php?file=../../../etc/passwd
<!-- SECURE: Path validation -->
$file = basename($_GET['file']);
$path = '/safe/directory/' . $file;

Impact: Unauthorized access to sensitive files

Information Disclosure

Common Sources:

<!-- VULNERABLE: Error messages -->
Error: Database connection failed: mysql://root:password@localhost/db
<!-- VULNERABLE: Version disclosure -->
Server: Apache/2.4.41 (Ubuntu)
X-Powered-By: PHP/7.4.3
<!-- SECURE: Generic error messages -->
Error: An error occurred. Please try again later.

Career Opportunities in Security Architecture

Security Architecture Roles:

  • Security Architect: £60,000 - £120,000
  • Security Consultant: £50,000 - £100,000
  • DevSecOps Engineer: £45,000 - £90,000
  • Security Engineer: £40,000 - £80,000
  • Penetration Tester: £35,000 - £70,000

Skills Needed: Security architecture, Risk assessment, Compliance, System design

OS³ Newman Cyber Security Lab

WEB-CSRF-01 & WEB-CONFIG-01 Lab Environment

Our OS³ Studio provides hands-on experience with:

  • Vulnerable applications with CSRF flaws
  • Misconfigured systems and applications
  • Secure implementation challenges
  • Configuration management best practices

Access: Available through university portal

Practical Examples

Watch: CSRF and Misconfiguration Explained

See Moodle for supporting materials.

Understanding CSRF attacks and security misconfigurations

Web Demos and Tools

Security Testing Tools:

Case Study: GitHub CSRF Attack

2018 GitHub CSRF Vulnerability

  • Impact: Unauthorized repository access
  • Method: CSRF attack on GitHub's invitation system
  • Cause: Missing CSRF protection on invitation endpoints
  • Fix: Implemented CSRF tokens and SameSite cookies

Lesson: Even major platforms can have CSRF vulnerabilities

Summary: Common CSRF and Misconfiguration Issues

Key Vulnerabilities to Look For:

  1. Missing CSRF protection
  2. Default credentials and settings
  3. Debug mode enabled in production
  4. Directory traversal vulnerabilities
  5. Information disclosure in errors
  6. Insecure cookie settings
  7. Missing security headers

Task 1: CSRF and Misconfiguration Discovery

Objective:

Use OS³ Studio to identify CSRF vulnerabilities and security misconfigurations in the lab environment.

Instructions:

  1. Access the OS³ Studio vulnerable application
  2. Test for CSRF vulnerabilities in forms
  3. Look for default credentials
  4. Check for debug mode and error disclosure
  5. Test for directory traversal vulnerabilities
  6. Examine cookie security settings
  7. Document all findings with proof of concept
  8. Prepare a vulnerability assessment report

Time: 45 minutes

Focus on systematic testing and thorough documentation

Break Time

15 Minutes

Take a break, ask questions, or catch up on the previous task.

Next: Secure implementation and Task 2

Secure CSRF Protection

1. Double Submit Cookie Pattern

<!-- SECURE: Double submit cookie -->
<script>
  function getCookie(name) {
    let value = "; " + document.cookie;
    let parts = value.split("; " + name + "=");
    if (parts.length == 2) return parts.pop().split(";").shift();
  }
  let csrfToken = getCookie('csrf_token');
  fetch('/api/transfer', {
    method: 'POST',
    headers: { 'X-CSRF-Token': csrfToken },
    body: JSON.stringify({amount: 100, to: 'account'})
  });
</script>

2. Origin Header Validation

<!-- SECURE: Origin validation -->
if ($_SERVER['HTTP_ORIGIN'] !== 'https://trusted-domain.com') {
  http_response_code(403);
  die('Invalid origin');
}

Secure Configuration Management

1. Environment-Based Configuration

<!-- SECURE: Environment configuration -->
# Production settings
DEBUG = False
SECRET_KEY = os.environ.get('SECRET_KEY')
DATABASE_URL = os.environ.get('DATABASE_URL')
ALLOWED_HOSTS = ['yourdomain.com']
# Development settings
DEBUG = True
SECRET_KEY = 'dev-key-only'
DATABASE_URL = 'sqlite:///dev.db'

2. Security Headers

<!-- SECURE: Security headers -->
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: default-src 'self'

Input Validation and Sanitization

1. Path Traversal Prevention

<!-- SECURE: Path validation -->
function validateFilePath($input) {
  // Remove directory traversal sequences
  $input = str_replace(['../', '..\\', '..\\\\'], '', $input);
  // Use basename to get only filename
  $filename = basename($input);
  // Validate against allowed files
  $allowedFiles = ['file1.txt', 'file2.pdf', 'image.jpg'];
  return in_array($filename, $allowedFiles);
}

2. Error Handling

<!-- SECURE: Generic error handling -->
try {
  $result = performOperation();
} catch (Exception $e) {
  // Log detailed error for debugging
  error_log($e->getMessage());
  // Show generic error to user
  echo "An error occurred. Please try again.";
}

Authentication and Authorization

1. Strong Password Policy

<!-- SECURE: Password validation -->
function validatePassword($password) {
  if (strlen($password) < 12) return false;
  if (!preg_match('/[A-Z]/', $password)) return false;
  if (!preg_match('/[a-z]/', $password)) return false;
  if (!preg_match('/[0-9]/', $password)) return false;
  if (!preg_match('/[^A-Za-z0-9]/', $password)) return false;
  return true;
}

2. Session Security

<!-- SECURE: Session configuration -->
session.cookie_httponly = 1
session.cookie_secure = 1
session.cookie_samesite = "Strict"
session.use_strict_mode = 1
session.gc_maxlifetime = 1800  // 30 minutes

Monitoring and Logging

1. Security Event Logging

<!-- SECURE: Security logging -->
function logSecurityEvent($event, $details) {
  $logEntry = [
    'timestamp' => date('Y-m-d H:i:s'),
    'event' => $event,
    'ip' => $_SERVER['REMOTE_ADDR'],
    'user_agent' => $_SERVER['HTTP_USER_AGENT'],
    'details' => $details
  ];
  error_log(json_encode($logEntry));
}

2. Anomaly Detection

  • Monitor failed login attempts
  • Track unusual access patterns
  • Alert on privilege escalation attempts
  • Monitor for suspicious file access

Compliance and Standards

1. Security Frameworks

  • OWASP Top 10: Web application security risks
  • NIST Cybersecurity Framework: Risk management
  • ISO 27001: Information security management
  • PCI DSS: Payment card industry standards

2. Best Practices

  • Implement defense in depth
  • Regular security assessments
  • Automated security testing
  • Incident response planning

Career Development in Security Architecture

Next Steps:

  • Advanced Certifications: CISSP, CISM, CISA
  • Specialized Training: Security architecture, Risk management
  • Hands-on Practice: Security assessments, Penetration testing
  • Industry Networking: Security conferences, meetups
  • Research: New attack techniques, Defense methods

Resources: OWASP | NIST | ISO

Task 2: Secure CSRF Protection and Configuration

Objective:

Use OS³ Studio to implement secure CSRF protection and fix configuration issues found in Task 1.

Instructions:

  1. Access the OS³ Studio secure implementation environment
  2. Implement CSRF token protection
  3. Configure secure cookie settings
  4. Remove default credentials and debug mode
  5. Implement proper input validation
  6. Add security headers
  7. Test the secure implementation
  8. Document the security improvements

Time: 45 minutes

Focus on implementing industry-standard security practices

Further Activity: Code Inspection

Advanced Students - Code Analysis:

For students with additional time, explore the source code to understand:

  • How CSRF protection is implemented
  • Configuration management practices
  • Error handling and logging mechanisms
  • Authentication and authorization systems
  • Security header implementation

Deliverable: Code review report with security recommendations

Session Summary

Key Takeaways:

  • CSRF attacks exploit user authentication
  • Security misconfigurations are common vulnerabilities
  • CSRF tokens and SameSite cookies provide protection
  • OS³ Studio provides hands-on vulnerability testing
  • Secure implementation requires multiple layers of protection
  • Career opportunities in security architecture are growing

Next Steps