Download presentation
Presentation is loading. Please wait.
1
CSRF: Not All Defenses Are Created Equal
Ari Elias-Bachrach Defensium llc November 2013 1
2
Is your application one of the 80%
This Talk is a Review of Current Defensive Options Or the long tail? Is your application one of the 80% 2
3
This Talk Will Cover CSRF Defenses and Their Side Effects
What is CSRF General (high level) fixes Code level defenses Server level defenses 3
4
CSRF occurs when an attacker tricks a user's browser into performing an action on a website
4
5
<form action=submitpage> <input name= amount type=text>
Normally, Browser's Form Submissions are Straightforward and Predictable <form action=submitpage> <input name= amount type=text> <input name=dest type=text> <input type=submit value=Transfer> </form> 5
6
GET /submitpage?amount=100.00&dest=12345 Server: server.com
Normally, Browser's Form Submissions are Straightforward and Predictable If action was a POST POST /submitpage Server: server.com amount=100.00&dest=12345 If action was a GET GET /submitpage?amount=100.00&dest=12345 Server: server.com 6
7
If you can predict all the parameters for an action, you can fake it
To Fake a GET <img src=”...”> 7
8
If you can predict all the parameters for an action, you can fake it
To Fake a POST <form name=”evil” action=” action=POST> <input type=”hidden” name=”amount” value=”100.00”> <input type=”hidden” name=”dest” value=”12345”> </form> <script>document.evil.submit()</script> 8
9
1. User navigates to website which attacker has some control over
Anatomy of an Attack 1. User navigates to website which attacker has some control over 2. User's browser tries to load content from site 3. Content performs action at a legitimate site 9
10
Anatomy of an Attack <html> Malicious code Legitimate site
Session cookie 10
11
In 2008, A CSRF flaw Was Used to Attack Cable Modems
Found a CSRF flaw in ADSL modems used by a Brazilian ISP Used it to Change DNS settings Sent users to malicious websites that looked like 11
12
High Level Defenses (Design Patterns)
12
13
There are Four Design Patterns Which are Used
Synchronizer Token Pattern Double Submit Cookies Challenge Response Check Referrer Header 13
14
Primary Defense is the Synchronizer Token Pattern
The most common defense Make at least one parameter unpredictable Upon submission, check to ensure the submitted value matches the generated value <input type="hidden" name="From " /> <input type="hidden" name="Subject" value="Do something wild" /> <input type="hidden" name="GUID" value="0f41d8e54aa80b3193c28ed920" /> 14
15
Primary Defense is the Synchronizer Token Pattern
The most common defense Things to look out for - How are tokens remembered? - Completeness of coverage 15
16
Second Defensive Option is Double Submit Cookies
This option used less often, but useful for things like REST Generate a random value, store it in two places: 1 – a cookie 2 – a hidden form field Upon submission, check to see if they match abc123 <input>=abc123 abc123 abc123 <input> 16
17
Second Defensive Option is Double Submit Cookies
This option used less often, but useful for things like REST Things to look out for: - Do not use the Session ID for this purpose! abc123 <input>=abc123 abc123 abc123 <input> 17
18
A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense 18
19
A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense 19
20
A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense 20
21
A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense 21
22
A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense Things to look out for: - User impact 22
23
A Fourth Option is to Check the Referrer Header
I Have Never Seen This Implemented GET /services/transfer.jsp HTTP/1.1 Host: mybank.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/ Firefox/16.0 Accept: */* Accept-Language: en-US,en;q=0.5 Referer: Cookie: JSESSIONID=007f a514c ; 23
24
A Fourth Option is to Check the Referrer Header
I Have Never Seen This Implemented Things to look out for: - Potential impact on other things which may modify the referer header 24
25
Code Fixes Server Fixes
Actually Implementing These Patterns is Where it Gets Fun and Complicated Code Fixes Server Fixes 25
26
ViewState User Keys (.net) AntiForgeryToken (.net MVC) AntiCSRF (.net)
We Will Show Five Common Software Libraries That Can Be Used To Do CSRF Defense ViewState User Keys (.net) AntiForgeryToken (.net MVC) AntiCSRF (.net) CSRFGuard (Java, PHP port is in progress) HDIV (Java) 26
27
.net can add CSRF protections to the ViewState
Viewstate is meant to maintain a form's state on postbacks Page.aspx Page.aspx 27
28
.net can add CSRF protections to the ViewState
Adding the session ID to the view state makes it unpredictable sessionID 28
29
.net can add CSRF protections to the ViewState
Add to OnInit for all pages or once to base class protected override OnInit(EventArgs e) { base.OnInit(e); if (User.Identity.IsAuthenticated) ViewStateUserKey = Session.SessionID; } 29
30
.net can add CSRF protections to the ViewState
Viewstate User Keys was designed to protect against 1 click attacks, which are a subset of CSRF attacks Only protects postbacks - Won't protect posts to other pages Other.aspx Page.aspx Other.aspx 30
31
.net MVC Applications Can Use AntiForgeryToken
What about .net MVC? AntiForgeryToken - Part of the HtmlHelper class 31
32
.net MVC Applications Can Use AntiForgeryToken
<% using(Html.Form("UserProfile", "SubmitUpdate")) { %> <%= Html.AntiForgeryToken() %> <!-- rest of form goes here --> <input name="__RequestVerificationToken" type="hidden" value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelvzwRZ" /> 32
33
.net MVC Applications Can Use AntiForgeryToken
Validate the token in the controller [ValidateAntiForgeryToken] public ActionResult FunctionToProtect() { // this is now run only if the token is valid } 33
34
.net MVC Applications Can Use AntiForgeryToken
By Default, will only work for POST Not a problem if GET is idempotent Can be hacked to work, google for details Request.Params versus Request.Form – param does GET r POST, form does only POST 34
35
.net MVC Applications Can Use AntiForgeryToken
Obvious problem: the forgetful programmer - must add to every controller and function that needs to be protected 35
36
Anticsrf for .net implements the double submit cookies pattern
- Has no other requirements (like viewstate enabled, MVC, etc.) - Open source - Developed in C# Available from 36
37
Anticsrf for .net implements the double submit cookies pattern
Generates string using Guid.NewGuid() Cookie: __CSRFCOOKIE=a22b81af-74f0-45ee-b2fd-1ead5f31f1c2; in POST __CSRFTOKEN=a22b81af-74f0-45ee-b2fd-1ead5f31f1c2 abc123 <input>=abc123 abc123 abc123 <input> 37
38
Anticsrf for .net implements the double submit cookies pattern
Can be used in a .net web app New Token for each session Only protects POST (not a problem if GET is idempotent) - Won't work for Rest (unless you hack it) abc123 <input>=abc123 abc123 abc123 <input> 38
39
CSRFGuard Implements the Synchronizer Token Pattern and Makes a New Token For Each Session
Made By OWASP (open source, BSD license) Java currently, PHP and .net port in progress Keeps one token per session, stored in the session - exposure of token compromises entire session 39
40
Modifies existing GET and POST requests
CSRFGuard Implements the Synchronizer Token Pattern and Makes a New Token For Each Session Modifies existing GET and POST requests Keeps one token per session, stored in the session - exposure of token compromises entire session link=nonce1 action=nonce1 40
41
Each link or action would get a unique token value Stored in session
CSRFGuard Can Also be Configured to Generate a New Token For Each Page Each link or action would get a unique token value Stored in session Feature is still experimental link=page?nonce1 action=page2?nonce2 41
42
Sets the token value in an HTTP header
CSRFGuard Can Also be Configured to Generate a New Token For Each Page Also supports AJAX Sets the token value in an HTTP header 42
43
HDIV Uses Tokens With a Queue Based Expiry
HDIV is a Java library that provides several security functions, including CSRF defense using the Synchronizer Token Pattern. The queue includes all generated tokens (could be dozens per page). link=page?nonce1 action=page2?nonce2 43
44
These Five Libraries All Have Different Approaches To CSRF Defense
Synchronizer Token Pattern - only postbacks - needs lots of code changes Double Submit Cookies - only protects POST ViewState User Keys (.net) AntiForgeryToken (.net MVC) AntiCSRF (.net) 44
45
These Five Libraries All Have Different Approaches To CSRF Defense
Synchronizer Token Pattern - can be done per session or page - per link/action - queue based expiry CSRFGuard (Java) HDIV 45
46
We Can Also Implement CSRF Protection on the Server
Changing code on existing applications is hard What if we asked the server to do CSRF protection 46
47
Tomcat 7 Includes a CSRF Prevention Filter
Generates a new UUID for each page loaded - default generator is java.security.SecureRandom) Protects GET and POST - modifies links and form actions Stores the last n UUIDs in the session - default for n is 5 link=nonce1 47
48
User opens a second tab (same session, same cookies, etc.)
Tomcat's CSRF Prevention Filter Can Cause Usability Issues for User's With Multiple Browser Tabs Open User opens a second tab (same session, same cookies, etc.) Makes n mouse clicks (default n is 5) Original tab is now broken nonce2 nonce3 nonce4 nonce5 nonce6 nonce1 48
49
<form action=”foo”>
F5's ASM Can Insert a Token in All Links and Forms to Implement the Synchronizer Token Pattern <a href=”bar”> <form action=”foo”> <a href=”bar?csrt=12345”> <form action=”foo”> <input type=”hidden” value=”12345”> 49
50
Will protect all GET and POST requests
F5's ASM Can Insert a Token in All Links and Forms to Implement the Synchronizer Token Pattern Will protect all GET and POST requests Token are generated per session, and have an expiry time (configurable from seconds). Default is 600 seconds Obvious problem of timeouts 50
51
Imperva SecureSphere Can Detect CSRF Attacks by Checking the Referrer Header
SecureSphere (Imperva's WAF) can alert and block when the referrer header of a request is from an external site GET /services/transfer.jsp HTTP/1.1 Host: mybank.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/ Firefox/16.0 Accept-Language: en-US,en;q=0.5 Referer: Cookie: JSESSIONID=007f a514c ; 51
52
The referrer header is not respected in all situations
Imperva SecureSphere Can Detect CSRF Attacks by Checking the Referrer Header The referrer header is not respected in all situations Bookmarks, links from external sites, and plugins that stop or tamper with the referrer header can all cause false positives 52
53
All Three Of The Servers We Looked At Do CSRF Defense Differently
Synchronizer Token Pattern - Queue based expiry - Time based expiry Check Referrer Header - Is intended for detection, not prevention 53
54
CSRF Token Names Can Reveal What Library You Are Using
54
55
CSRF Token Names Can Reveal What Library You Are Using
55
56
CSRF Token Names Can Reveal What Library You Are Using
CSRFGuard 126,000 results Tomcat 513 results 56
57
Some require you to edit source code to do it...
CSRF Token Names Can Reveal What Library You Are Using Almost all of the solutions we've mentioned that use tokens allow you to customize the name of the token Some require you to edit source code to do it... 57
58
A single XSS flaw makes all of these CSRF defenses useless
There are numerous ways for a script to access the CSRF token value document.cookie document.getElementByID('csrftoken') document.forms[0].elements[0] 58
59
Protecting GET Requests Comes At A Cost
CSRF tokens can be leaked through the referer header, and can be reused if they're still valid GET /page HTTP/1.1 Host: othersite.com Referer: 59
60
We Have Seen Seven Widely Used Implementations of CSRF Defense
Know your defenses – which solution you select will depend on your application How many of these solutions were perfect? Security is rarely 'plug n play' 60
61
We Have Seen Seven Widely Used Implementations of CSRF Defense
Know your defenses – which solution you select will depend on your application Environment and language used Whether this is a new app or a retrofit of an old one Idempotence Potential user impact of some solutions 61
62
CSRF: Not All Defenses Are Created Equal
Ari Elias-Bachrach @angelofsecurity Defensium llc 62
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.