Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations


Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP CSRF Protector Minhaz 3 rd year, Computer Engineering Delhi Technological University

2 OWASP What all I’ll cover?  Very brief introduction of CSRF  Introduction: CSRF Protector Project  Software Design  Brief introduction on implementation & final products  Salient Features  Roadmaps & Plans  Feedbacks & Questions 2

3 OWASP 3 So what’s CSRF? SKIP

4 OWASP 4 Nice Server Admin ******** BestBank Login Page Login Forgot Password? Protected by 128 bit encryption ….. Request URL: ….. Form Data: username=Admin&password=Password ….. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-chec k=0 Connection: Keep-Alive … Set-Cookie: SESSID=hhiksdh234; expires=Wed, 10-Sep :32:50 GMT Cross Site Request Forgery

5 OWASP Nice Server Welcome Admin Money Transfer BestBank.com

6 OWASP Nice Server Welcome Admin BestBank Money Transfer Transfer Receiver's Account No Request URL: … Form Data: accountno=10002&amount= ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23 1,00,000 Amount

7 OWASP Evil Server Evil Contents are always nice!! Request URL: … Form Data: accountno=1337&amount= ….. Content-Length: 49 Content-Type: application/x-www-form-urlencoded Cookie: SESSID=hhiksdh23

8 OWASP Nice Server Welcome Admin BestBank Transactions Sl NoAccount NoAmountDateBalance INR INR INR INR

9 OWASP Other possibilities:  If there is CSRF vulnerability in admin panel of a website, whole website can be compromised!  Hijacking primary DNS server setting of your router! -> phishing, mitm etc.!  …Add more!  Want to see it work? Visit superlogout.com Read More at OWASP CSRF Cheat Sheets, Just Google it! 9

10 OWASP CSRF Protector Project Project Leader Abbas Naderi Primary Contributor that’s me! Project Mentors Kevin W. Wall & Jim Manico Other Contributors Abhinav Dahiya 10

11 OWASP CSRF Protector Project 11 A new anti-CSRF method to protect web applications! It has two parts for now: A standalone php library An Apache 2.x.x module

12 OWASP

13 … web application logic … Server Side Interceptor / Input Filter Output Filter Request from client Response to client

14 OWASP Has token in cookie (C) Has token in request (T) C == T Allow the request, Generate another Pseudo Random token & send it back to client! Take Action as per configuration: Send back a 403 Send back a 404 Show a custom error message Redirect user to a custom URL Strip all request arguments and allow the request Yes No BACK Server Side Interceptor / Input Filter

15 OWASP Output Filter Works on Regular Expression based matching! It injects a JavaScript code just after the closing tag when there is an HTML output. Our Normal versions also injects a tag and a message inside it, asking user to enable JavaScript if not already done! We also have a version that works without JavaScript in case of php library

16 OWASP The JavaScript's job  It does the primary job!  The JavaScript code running on client’s machine ensure that, for each request that needs CSRF validation a token is attached to it at the point of dispatch!  So, tokens are attached with every POST request and certain GET requests (allowed by rules in configuration) originating from the browser! Something which attacker cannot craft! 16

17 OWASP

18 Correctness of the design  Scripts running on attacker’s website cannot retrieve token from other websites, because of Same Origin Policy of browsers!  Attacker cannot use his token to authenticate requests in other websites.  Attacker cannot guess tokens based on ones he has as each time a new pseudo random token is generated for each request (& each user). And PRNG in reseeded after every requests! 18

19 OWASP

20 20 Standalone library for CSRF Mitigation in php based applications. Can be easily integrated with existing web applications or can be used while developing new ones. Features: 1.Highly customisable! 2.Supports POST / GET requests! 3.Easy to alter according to your needs! 4.Works well with all php versions > 5.0

21 OWASP It can be easily installed on apache 2.2 servers! Its distributed as a shared object file! Easy to configure, by modifying fields in httpd.conf file (Apache’s configuration file) Developer doesn’t need to make any changes to its web applications, so even server administrator can implement this in their servers. Has currently been tested with Linux (Ubuntu) and OS X only!

22 OWASP 22

23 OWASP 23 Easy to work with or Integrate 1

24 OWASP 24 Supports AJAX & dynamic forms 2 We also have custom wrappers in JS that ensures that our injected token doesn’t creates any conflict when developer designed logic for form validation functions! We support the old attachEvent() & ActiveObject() methods that exist in IE ( <= 6.0)

25 OWASP 25 Supports GET requests! 3 We use these type of regex rules to match urls at time of validation & pass it on to JavaScript code so that it knows what all requests to attach tokens with! Its stored in configuration!

26 OWASP A better option for apps that support plugins 4 For example wordpress!

27 OWASP Roadmaps?  Apache 2.2 module that works with windows system!  Automated testing (Continuous Integration) for Apache module!  Support for legitimate cross-domain requests! 27

28 OWASP https://owasp.org/index.php/CSRFProtector_Project


Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations


Ads by Google