Objectives: This workshop focused on understanding and exploiting Cross-site Request Forgery (CSRF) vulnerabilities, which enable attackers to perform unauthorized actions on behalf of authenticated users. The session included demonstrations of CSRF attacks, their mechanics, and practical ways to defend against them. Attendees were encouraged to engage in hands-on practice to reinforce their learning.
The Key Takeaways and Final Points:
- CSRF Basics: Explained how attackers exploit session cookies via malicious links or HTML files to perform unauthorized actions on behalf of authenticated users. Demonstrated using a vulnerable page to change a user’s password without their knowledge.
- Defensive Measures: Emphasised unique tokens for each request, user interaction (e.g., two-factor authentication), and HTTP referer headers to mitigate CSRF attacks.
- Practical Application: Encouraged hands-on practice with CSRF labs (e.g., Web Security Academy) and replicating the demonstrated attacks to deepen understanding.