27 Dinner Tonight

Dominic White

 

27 Dinner Tonight

Tonight's 27 dinner was great. I haven't been in a while, but there was a good crowd and I had some really interesting conversation. My presentation went well it seems. I've attached a copy here if anyone is interested.

The talk was focused on cross-site request forgery attacks. As it was mostly a non-security crowd I tried to make it accessible. I demo'ed a CSRF against Vodacom4ME's online SMS functionality (which I rely on for vodasms). I also demo'ed a CSRF against muti, with code injected via a persistent cross site scripting (XSS) flaw in 27dinner.com. In effect, anyone logged into muti who viewed the Jozi 27dinner guest list also voted up this post on muti. I finished it off with a demo of BeEF proxy. For tips of defending against it in your app check out this entry.

I've removed all the demo code, as I can just image someone dubious sticking muti CSRF's all over the place to falsely inflate their posts ranking.

Anyway, thanks for the good conversations, and great feedback, in particular:

Also, thanks to the IRC geeks who helped with some of the ideas and finer points at funny hours in the morning last night:

Sunday, November 23. 2008
Posted by Dominic White in Security
Comments (6) | Trackbacks (0)

 

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

#1 mh wrote (Link) (Reply)
Posted on Monday, November 24. 2008
u have to give us more warning before springing stuff like this.. The hippie and i woulda loved to pop by and hurl rancid fruit..
 
#2 Dominic White wrote (Link) (Reply)
Posted on Monday, November 24. 2008
I was only asked yesterday, and only started last night. Could do with some help from you guys around a twitter CSRF though. May be a project for a rainier day. I'm so close, have gotten around the anti-CSRF token, but have come across their stupid 'Accept' header control (if the client-side 'Accept' header doesn't look like it came from an XHR, they disallow the request). As an aside, isn't it interesting that such a bare bones entry is doing so well on muti :) http://www.muti.co.za/hot
 
#3 Stii wrote (Link) (Reply)
Posted on Monday, November 24. 2008
Goes to show people vote before they read, I guess. Is this a little social experiment?
 
#4 Dominic White wrote (Link) (Reply)
Posted on Monday, November 24. 2008
@stii Heh, no, it was a security experiment. All of the votes were done without the voting user's knowledge. I was demonstrating cross site request forgery attacks for the dinner.
 
#5 Stii wrote (Link) (Reply)
Posted on Monday, November 24. 2008
Bloody hell, that sounds like an interesting talk. We need you to come do some of these over here in Cape Town. Please man.
 
#6 Haroun Kola wrote (Link) (Reply)
Posted on Monday, November 24. 2008
Thanks for a great talk yesterday Dominique, it was great to meet you. Have a great day, chat soon :)
 

Add Comment