CSRF. Danger. Detection. Defenses презентация

Cross-Site Request Forgery: Danger, Detection, and Defenses Eric Sheridan Aspect Security, Inc. [email protected]

Overview Discussion of the “Same Origin Policy” Overview of the “Sleeping Giant” The Introduction of 2 New OWASP Tools A Series of New WebGoat Labs Enterprise CSRF Mitigation Strategy

The Browser “Same Origin” Policy

Cross-Site Request Forgery

How Does CSRF Work? Tags <img src=“https://bank.com/fn?param=1”> <iframe src=“https://bank.com/fn?param=1”> <script src=“https://bank.com/fn?param=1”> Autoposting Forms <body onload="document.forms[0].submit()"> <form method="POST" action=“https://bank.com/fn”> <input type="hidden" name="sp" value="8109"/> </form> XmlHttpRequest Subject to same origin policy

Credentials Included

New Tool: OWASP CSRFTester Test your applications for CSRF Record and replay transactions Tune the recorded test case Run test case with exported HTML document Test case alternatives Auto-Posting Forms Evil iFrame IMG Tag XMLHTTPRequest Link

DEMO: OWASP CSRFTester

What Can Attackers Do with CSRF? Anything an authenticated user can do Click links Fill out and submit forms Follow all the steps of a wizard interface No restriction from same origin policy, except… Attackers cannot read responses from other origins Limited on what can be done with data Severe impact on accountability Log entries reflect the actions a victim was tricked into executing

Using CSRF to Attack Internal Pages

Misconceptions – Defenses That Don’t Work Only accept POST Stops simple link-based attacks (IMG, frames, etc.) But hidden POST requests can be created with frames, scripts, etc… Referer checking Some users prohibit referers, so you can’t just require referer headers Techniques to selectively create HTTP request without referers exist Requiring multi-step transactions CSRF attack can perform each step in order URL Rewriting General session id exposure in logs, cache, etc. None of these approaches will sufficiently protect against CSRF!

New Tool: OWASP CSRFGuard 2.0 Adds token to: href attribute src attribute hidden field in all forms Actions: Log Invalidate Redirect

DEMO: OWASP CSRFGuard 2.0

Similar Implementations PHP CSRFGuard PHP Implementation of CSRFGuard http://www.owasp.org/index.php/PHP_CSRF_Guard JSCK PHP & JavaScript implementation http://www.thespanner.co.uk/2007/10/19/jsck/

DEMO: Cross-Site Scripting vs. CSRFGuard

Enterprise CSRF Mitigation Strategy Balance Between Security, Usability, and Cost

Extra: How Widespread Are CSRF Holes? Very likely in most web applications Including both intranet and external apps Including Web 1.0 and Web 2.0 applications Any function without specific CSRF defenses is vulnerable How do victims get attacked? Victim simply opens an infected webpage, HTML file, or email Single Sign On (SSO) extends “authenticated user” CSRF recently found in 8 security appliances Including CheckPoint

Extra: Real World CSRF Examples <iframe style="display:none" src="http://www.google.com/setprefs?hl=xx-klingon&amp;submit2=Save%20Preferences%20&amp;prev=http://www.google.com/&q=&submit= Save%20Preferences%20"></iframe>

Extra: CSRF Defenses CAPTCHA Attacker must know CAPTCHA answer Assuming a secure implementation Re-Authentication Password Based Attacker must know victims password If password is known, then game over already! One-Time Token Attacker must know current token Very strong defense! Unique Request Tokens Attacker must know unique request token for particular victim for particular session Assumes token is cryptographically secure and not disclosed. /accounts?auth=687965fdfaew87agrde …