Presentation Demos for the IT Security Symposium
JavaScript HTML C# CSS
Latest commit 7030bf2 Jun 17, 2015 @srkirkland just add in the pub


Demo stuff for the 2011 UCDavis IT Security Symposium.

* Demo the banking application
* Now to the evil side
* First we can do a get request that changes money.  This is bad, only idempotent operations should be GET.
* Change to post, now it will not work.
* Now evil bank does post example, which works.  This is of course because there is no authorization being preformed.
* Showing the above is optional really, not a CSRF attack
* Now, lock down to authorize
* For CSRF #1, get user to visit http://localhost:5416/Csrf/GetForgeryPage.  This is the GET attack example.
* For CSRF #2, get user to visit http://localhost:5416/Csrf/PostForgeryPage.  This is the POST attack.
* Solve the post attack by adding an antiforgerytoken.