Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSRF: Not All Defenses Are Created Equal

Published by估 於 Modified over 7 years ago

Similar presentations

Presentation on theme: "CSRF: Not All Defenses Are Created Equal"— Presentation transcript:

1 CSRF: Not All Defenses Are Created Equal
Ari Elias-Bachrach Defensium llc November 2013 1

2 Is your application one of the 80%
This Talk is a Review of Current Defensive Options Or the long tail? Is your application one of the 80% 2

3 This Talk Will Cover CSRF Defenses and Their Side Effects
What is CSRF General (high level) fixes Code level defenses Server level defenses 3

4 CSRF occurs when an attacker tricks a user's browser into performing an action on a website
4

5 <form action=submitpage> <input name= amount type=text>
Normally, Browser's Form Submissions are Straightforward and Predictable <form action=submitpage> <input name= amount type=text> <input name=dest type=text> <input type=submit value=Transfer> </form> 5

6 GET /submitpage?amount=100.00&dest=12345 Server: server.com
Normally, Browser's Form Submissions are Straightforward and Predictable If action was a POST POST /submitpage Server: server.com amount=100.00&dest=12345 If action was a GET GET /submitpage?amount=100.00&dest=12345 Server: server.com 6

7 If you can predict all the parameters for an action, you can fake it
To Fake a GET <img src=”...”> 7

8 If you can predict all the parameters for an action, you can fake it
To Fake a POST <form name=”evil” action=” action=POST> <input type=”hidden” name=”amount” value=”100.00”> <input type=”hidden” name=”dest” value=”12345”> </form> <script>document.evil.submit()</script> 8

9 1. User navigates to website which attacker has some control over
Anatomy of an Attack 1. User navigates to website which attacker has some control over 2. User's browser tries to load content from site 3. Content performs action at a legitimate site 9

10 Anatomy of an Attack <html> Malicious code Legitimate site
Session cookie 10

11 In 2008, A CSRF flaw Was Used to Attack Cable Modems
Found a CSRF flaw in ADSL modems used by a Brazilian ISP Used it to Change DNS settings Sent users to malicious websites that looked like 11

12 High Level Defenses (Design Patterns)
12

13 There are Four Design Patterns Which are Used
Synchronizer Token Pattern Double Submit Cookies Challenge Response Check Referrer Header 13

14 Primary Defense is the Synchronizer Token Pattern
The most common defense Make at least one parameter unpredictable Upon submission, check to ensure the submitted value matches the generated value <input type="hidden" name="From " /> <input type="hidden" name="Subject" value="Do something wild" /> <input type="hidden" name="GUID" value="0f41d8e54aa80b3193c28ed920" /> 14

15 Primary Defense is the Synchronizer Token Pattern
The most common defense Things to look out for - How are tokens remembered? - Completeness of coverage 15

16 Second Defensive Option is Double Submit Cookies
This option used less often, but useful for things like REST Generate a random value, store it in two places: 1 – a cookie 2 – a hidden form field Upon submission, check to see if they match abc123 <input>=abc123 abc123 abc123 <input> 16

17 Second Defensive Option is Double Submit Cookies
This option used less often, but useful for things like REST Things to look out for: - Do not use the Session ID for this purpose! abc123 <input>=abc123 abc123 abc123 <input> 17

18 A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense 18

19 A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense 19

20 A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense 20

21 A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense 21

22 A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense Things to look out for: - User impact 22

23 A Fourth Option is to Check the Referrer Header
I Have Never Seen This Implemented GET /services/transfer.jsp HTTP/1.1 Host: mybank.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/ Firefox/16.0 Accept: */* Accept-Language: en-US,en;q=0.5 Referer: Cookie: JSESSIONID=007f a514c ; 23

24 A Fourth Option is to Check the Referrer Header
I Have Never Seen This Implemented Things to look out for: - Potential impact on other things which may modify the referer header 24

25 Code Fixes Server Fixes
Actually Implementing These Patterns is Where it Gets Fun and Complicated Code Fixes Server Fixes 25

26 ViewState User Keys (.net) AntiForgeryToken (.net MVC) AntiCSRF (.net)
We Will Show Five Common Software Libraries That Can Be Used To Do CSRF Defense ViewState User Keys (.net) AntiForgeryToken (.net MVC) AntiCSRF (.net) CSRFGuard (Java, PHP port is in progress) HDIV (Java) 26

27 .net can add CSRF protections to the ViewState
Viewstate is meant to maintain a form's state on postbacks Page.aspx Page.aspx 27

28 .net can add CSRF protections to the ViewState
Adding the session ID to the view state makes it unpredictable sessionID 28

29 .net can add CSRF protections to the ViewState
Add to OnInit for all pages or once to base class protected override OnInit(EventArgs e) { base.OnInit(e); if (User.Identity.IsAuthenticated) ViewStateUserKey = Session.SessionID; } 29

30 .net can add CSRF protections to the ViewState
Viewstate User Keys was designed to protect against 1 click attacks, which are a subset of CSRF attacks Only protects postbacks - Won't protect posts to other pages Other.aspx Page.aspx Other.aspx 30

31 .net MVC Applications Can Use AntiForgeryToken
What about .net MVC? AntiForgeryToken - Part of the HtmlHelper class 31

32 .net MVC Applications Can Use AntiForgeryToken
<% using(Html.Form("UserProfile", "SubmitUpdate")) { %> <%= Html.AntiForgeryToken() %> <!-- rest of form goes here --> <input name="__RequestVerificationToken" type="hidden" value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZ" /> 32

33 .net MVC Applications Can Use AntiForgeryToken
Validate the token in the controller [ValidateAntiForgeryToken] public ActionResult FunctionToProtect() { // this is now run only if the token is valid } 33

34 .net MVC Applications Can Use AntiForgeryToken
By Default, will only work for POST Not a problem if GET is idempotent Can be hacked to work, google for details Request.Params versus Request.Form – param does GET r POST, form does only POST 34

35 .net MVC Applications Can Use AntiForgeryToken
Obvious problem: the forgetful programmer - must add to every controller and function that needs to be protected 35

36 Anticsrf for .net implements the double submit cookies pattern
- Has no other requirements (like viewstate enabled, MVC, etc.) - Open source - Developed in C# Available from 36

37 Anticsrf for .net implements the double submit cookies pattern
Generates string using Guid.NewGuid() Cookie: __CSRFCOOKIE=a22b81af-74f0-45ee-b2fd-1ead5f31f1c2; in POST __CSRFTOKEN=a22b81af-74f0-45ee-b2fd-1ead5f31f1c2 abc123 <input>=abc123 abc123 abc123 <input> 37

38 Anticsrf for .net implements the double submit cookies pattern
Can be used in a .net web app New Token for each session Only protects POST (not a problem if GET is idempotent) - Won't work for Rest (unless you hack it) abc123 <input>=abc123 abc123 abc123 <input> 38

39 CSRFGuard Implements the Synchronizer Token Pattern and Makes a New Token For Each Session
Made By OWASP (open source, BSD license) Java currently, PHP and .net port in progress Keeps one token per session, stored in the session - exposure of token compromises entire session 39

40 Modifies existing GET and POST requests
CSRFGuard Implements the Synchronizer Token Pattern and Makes a New Token For Each Session Modifies existing GET and POST requests Keeps one token per session, stored in the session - exposure of token compromises entire session link=nonce1 action=nonce1 40

41 Each link or action would get a unique token value Stored in session
CSRFGuard Can Also be Configured to Generate a New Token For Each Page Each link or action would get a unique token value Stored in session Feature is still experimental link=page?nonce1 action=page2?nonce2 41

42 Sets the token value in an HTTP header
CSRFGuard Can Also be Configured to Generate a New Token For Each Page Also supports AJAX Sets the token value in an HTTP header 42

43 HDIV Uses Tokens With a Queue Based Expiry
HDIV is a Java library that provides several security functions, including CSRF defense using the Synchronizer Token Pattern. The queue includes all generated tokens (could be dozens per page). link=page?nonce1 action=page2?nonce2 43

44 These Five Libraries All Have Different Approaches To CSRF Defense
Synchronizer Token Pattern - only postbacks - needs lots of code changes Double Submit Cookies - only protects POST ViewState User Keys (.net) AntiForgeryToken (.net MVC) AntiCSRF (.net) 44

45 These Five Libraries All Have Different Approaches To CSRF Defense
Synchronizer Token Pattern - can be done per session or page - per link/action - queue based expiry CSRFGuard (Java) HDIV 45

46 We Can Also Implement CSRF Protection on the Server
Changing code on existing applications is hard What if we asked the server to do CSRF protection 46

47 Tomcat 7 Includes a CSRF Prevention Filter
Generates a new UUID for each page loaded - default generator is java.security.SecureRandom) Protects GET and POST - modifies links and form actions Stores the last n UUIDs in the session - default for n is 5 link=nonce1 47

48 User opens a second tab (same session, same cookies, etc.)
Tomcat's CSRF Prevention Filter Can Cause Usability Issues for User's With Multiple Browser Tabs Open User opens a second tab (same session, same cookies, etc.) Makes n mouse clicks (default n is 5) Original tab is now broken nonce2 nonce3 nonce4 nonce5 nonce6 nonce1 48

49 <form action=”foo”>
F5's ASM Can Insert a Token in All Links and Forms to Implement the Synchronizer Token Pattern <a href=”bar”> <form action=”foo”> <a href=”bar?csrt=12345”> <form action=”foo”> <input type=”hidden” value=”12345”> 49

50 Will protect all GET and POST requests
F5's ASM Can Insert a Token in All Links and Forms to Implement the Synchronizer Token Pattern Will protect all GET and POST requests Token are generated per session, and have an expiry time (configurable from seconds). Default is 600 seconds Obvious problem of timeouts 50

51 Imperva SecureSphere Can Detect CSRF Attacks by Checking the Referrer Header
SecureSphere (Imperva's WAF) can alert and block when the referrer header of a request is from an external site GET /services/transfer.jsp HTTP/1.1 Host: mybank.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/ Firefox/16.0 Accept-Language: en-US,en;q=0.5 Referer: Cookie: JSESSIONID=007f a514c ; 51

52 The referrer header is not respected in all situations
Imperva SecureSphere Can Detect CSRF Attacks by Checking the Referrer Header The referrer header is not respected in all situations Bookmarks, links from external sites, and plugins that stop or tamper with the referrer header can all cause false positives 52

53 All Three Of The Servers We Looked At Do CSRF Defense Differently
Synchronizer Token Pattern - Queue based expiry - Time based expiry Check Referrer Header - Is intended for detection, not prevention 53

54 CSRF Token Names Can Reveal What Library You Are Using
54

55 CSRF Token Names Can Reveal What Library You Are Using
55

56 CSRF Token Names Can Reveal What Library You Are Using
CSRFGuard 126,000 results Tomcat 513 results 56

57 Some require you to edit source code to do it...
CSRF Token Names Can Reveal What Library You Are Using Almost all of the solutions we've mentioned that use tokens allow you to customize the name of the token Some require you to edit source code to do it... 57

58 A single XSS flaw makes all of these CSRF defenses useless
There are numerous ways for a script to access the CSRF token value document.cookie document.getElementByID('csrftoken') document.forms[0].elements[0] 58

59 Protecting GET Requests Comes At A Cost
CSRF tokens can be leaked through the referer header, and can be reused if they're still valid GET /page HTTP/1.1 Host: othersite.com Referer: 59

60 We Have Seen Seven Widely Used Implementations of CSRF Defense
Know your defenses – which solution you select will depend on your application How many of these solutions were perfect? Security is rarely 'plug n play' 60

61 We Have Seen Seven Widely Used Implementations of CSRF Defense
Know your defenses – which solution you select will depend on your application Environment and language used Whether this is a new app or a retrofit of an old one Idempotence Potential user impact of some solutions 61

62 CSRF: Not All Defenses Are Created Equal
Ari Elias-Bachrach @angelofsecurity Defensium llc 62

Download ppt "CSRF: Not All Defenses Are Created Equal"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
MWD1001 Website Production Using JavaScript with Forms.

MWD1001 Website Production Using JavaScript with Forms.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Tutorial 6 Creating a Web Form

Tutorial 6 Creating a Web Form
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
1 Creating Web Forms in HTML Web forms collect information from customers Web forms include different control elements including: –Input boxes –Selection.

1 Creating Web Forms in HTML Web forms collect information from customers Web forms include different control elements including: –Input boxes –Selection.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google