< Why I think the Quality Vacation Club is a Dubious Organisation | Compiling 32bit apps on a 64bit Ubuntu >
Nov 24

27 Dinner Tonight

Security 6 Comments »
Security Tonight's 27 dinner was great. I haven't been in a while, but there was a good crowd and I had some really interesting conversation. My presentation went well it seems. I've attached a copy here if anyone is interested.

The talk was focused on cross-site request forgery attacks. As it was mostly a non-security crowd I tried to make it accessible. I demo'ed a CSRF against Vodacom4ME's online SMS functionality (which I rely on for vodasms). I also demo'ed a CSRF against muti, with code injected via a persistent cross site scripting (XSS) flaw in 27dinner.com. In effect, anyone logged into muti who viewed the Jozi 27dinner guest list also voted up this post on muti. I finished it off with a demo of BeEF proxy. For tips of defending against it in your app check out this entry.

I've removed all the demo code, as I can just image someone dubious sticking muti CSRF's all over the place to falsely inflate their posts ranking.

Anyway, thanks for the good conversations, and great feedback, in particular:

Also, thanks to the IRC geeks who helped with some of the ideas and finer points at funny hours in the morning last night:

Posted by Dominic White

Last modified on 2008-11-27 01:51

0 Trackbacks

Trackback specific URI for this entry
  1. No Trackbacks

6 Comments

Display comments as(Linear | Threaded)
  1. mh says:
    11/24/2008 06:34:49 AM

    u have to give us more warning before springing stuff like this.. The hippie and i woulda loved to pop by and hurl rancid fruit..

  2. Dominic White says:
    11/24/2008 06:43:16 AM

    I was only asked yesterday, and only started last night. Could do with some help from you guys around a twitter CSRF though. May be a project for a rainier day. I'm so close, have gotten around the anti-CSRF token, but have come across their stupid 'Accept' header control (if the client-side 'Accept' header doesn't look like it came from an XHR, they disallow the request).

    As an aside, isn't it interesting that such a bare bones entry is doing so well on muti :) http://www.muti.co.za/hot

  3. Stii says:
    11/24/2008 10:00:12 AM

    Goes to show people vote before they read, I guess. Is this a little social experiment?

  4. Dominic White says:
    11/24/2008 02:22:49 PM

    @stii Heh, no, it was a security experiment. All of the votes were done without the voting user's knowledge. I was demonstrating cross site request forgery attacks for the dinner.

  5. Stii says:
    11/24/2008 09:28:46 PM

    Bloody hell, that sounds like an interesting talk. We need you to come do some of these over here in Cape Town. Please man.

  6. Haroun Kola says:
    11/24/2008 11:30:08 PM

    Thanks for a great talk yesterday Dominique, it was great to meet you.
    Have a great day, chat soon :)

Add Comment


E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA