27 Dinner Tonight

SA Security Bloggers

SensePost

Haroon Meer
link

Matt Erasmus
link

Andrew Mohawk

Junaid Loonat
link

Barry Irwin
link

Tom Wells

Allen Baranov
link

Jock Forrester
link

IT Security Pubcast
link

Telspace

ISGAfrica

Ralfe Poisson

How-To's
link Linux SSH Jail with pam_chroot
link Firefox Privacy & Security Extensions

Papers
link Managing Patching, my MSc Thesis
link Risk Analysis of Monthly Patch Schedules

Tools
link Automated Vodacom SMS (VodaSMS)
link RSS 2 SMS
link DShield Hack Detection

Neologisms
link Encryption principles
link Zoolander's Law

Syndicate This Blog

SSL

Certificate fingerprints:

SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89

HTTPS version.
You can find an explanation here.

License

Original content in this work is licensed under a Creative Commons License

Disclaimer

This blog and its contents are in no way affiliated with, or endorsed by my employer.

Random Entry: Symantec Biannual Internet Security Threat Report
< Why I think the Quality Vacation Club is a Dubious Organisation | Compiling 32bit apps on a 64bit Ubuntu >

Monday, November 24. 2008

Tonight's 27 dinner was great. I haven't been in a while, but there was a good crowd and I had some really interesting conversation. My presentation went well it seems. I've attached a copy here if anyone is interested.

The talk was focused on cross-site request forgery attacks. As it was mostly a non-security crowd I tried to make it accessible. I demo'ed a CSRF against Vodacom4ME's online SMS functionality (which I rely on for vodasms). I also demo'ed a CSRF against muti, with code injected via a persistent cross site scripting (XSS) flaw in 27dinner.com. In effect, anyone logged into muti who viewed the Jozi 27dinner guest list also voted up this post on muti. I finished it off with a demo of BeEF proxy. For tips of defending against it in your app check out this entry.

I've removed all the demo code, as I can just image someone dubious sticking muti CSRF's all over the place to falsely inflate their posts ranking.

Anyway, thanks for the good conversations, and great feedback, in particular:

Also, thanks to the IRC geeks who helped with some of the ideas and finer points at funny hours in the morning last night:

Posted by Dominic White in Security at 00:24 | Comments (6) | Trackbacks (0)

Last modified on 2008-11-27 01:51

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

u have to give us more warning before springing stuff like this.. The hippie and i woulda loved to pop by and hurl rancid fruit..

#1 mh (Homepage) on 2008-11-24 06:34 (Reply)

I was only asked yesterday, and only started last night. Could do with some help from you guys around a twitter CSRF though. May be a project for a rainier day. I'm so close, have gotten around the anti-CSRF token, but have come across their stupid 'Accept' header control (if the client-side 'Accept' header doesn't look like it came from an XHR, they disallow the request). As an aside, isn't it interesting that such a bare bones entry is doing so well on muti :) http://www.muti.co.za/hot

#2 Dominic White (Homepage) on 2008-11-24 06:43 (Reply)

Goes to show people vote before they read, I guess. Is this a little social experiment?

#3 Stii (Homepage) on 2008-11-24 10:00 (Reply)

@stii Heh, no, it was a security experiment. All of the votes were done without the voting user's knowledge. I was demonstrating cross site request forgery attacks for the dinner.

#4 Dominic White (Homepage) on 2008-11-24 14:22 (Reply)

Bloody hell, that sounds like an interesting talk. We need you to come do some of these over here in Cape Town. Please man.

#5 Stii (Homepage) on 2008-11-24 21:28 (Reply)

Thanks for a great talk yesterday Dominique, it was great to meet you. Have a great day, chat soon :)

#6 Haroun Kola (Homepage) on 2008-11-24 23:30 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry