Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Presentation Demos for the IT Security Symposium
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
BadGuy
Filler
ITSecuritySymposium
packages
.gitignore
Data Validation in Web Applications.pdf
ITSecuritySymposium.sln
Principles of Secure Web Application Development.pdf
README

README

Demo stuff for the 2011 UCDavis IT Security Symposium.

http://itsecuritysymposium.ucdavis.edu/

--
CSRF:
 
* Demo the banking application
* Now to the evil side
* First we can do a get request that changes money.  This is bad, only idempotent operations should be GET.
* Change to post, now it will not work.
* Now evil bank does post example, which works.  This is of course because there is no authorization being preformed.
* Showing the above is optional really, not a CSRF attack
* Now, lock down to authorize
* For CSRF #1, get user to visit http://localhost:5416/Csrf/GetForgeryPage.  This is the GET attack example.
* For CSRF #2, get user to visit http://localhost:5416/Csrf/PostForgeryPage.  This is the POST attack.
* Solve the post attack by adding an antiforgerytoken.
Something went wrong with that request. Please try again.