Cross-Site Request Forgeries: Exploitation and Prevention

Slides:

Advertisements

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

Advertisements

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Nick Feamster CS 6262 Spring 2009

Cross-site Request Forgery (CSRF) Attacks

Using the Self Service BMC Helpdesk

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

1 Unit & District Tools Phase 1. 2 To access the new Unit and District Tools, you will need to click on the link embedded in the MyScouting Flash page.

TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

EECS 354 Network Security Cross Site Scripting (XSS)

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 4 Application Security Knowledge and Test Prep

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

New School Websites Teacher Pages. Visit the SCUSD Website for videos tutorials: For more information.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Live Support A “receptionist” on your website (typing) Can answer questions Transfer calls to different departments Take messages Automatically “push”

IDENTIFYING SECURITY ISSUES IN A HIGHER INSTITUTE CMS LAB SITE Panagiotis Loumpardias Konstantinos Chimos.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

On-Line Service Voucher Log (SVL) Overview. To Be On-line You Must… Be an Enrolled ABC Child Care Provider Have internet access Have Web Browser Internet.

Prevent Cross-Site Scripting (XSS) attack

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Staying Safe Online Keep your Information Secure.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko Cross-Site-Request-Forgery.

Customer Service and Support Sutherland Global Services Consultant Learning Services Microsoft Store.

This tip sheet focuses on the elements required to access SMART. Total Pages: 5 Accessing SMART Logging In Agency/Facility/Program Access Logging Out IGSR.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

The Teacher Is In Charge There are dozens of free services, but Gaggle.Net is the only service designed specifically for classroom use. The biggest.

Google Apps (Education Edition) A step guide to a successful deployment January 10 th, 2008 California Technology Assistance Project

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Page 1 of 42 To the ETS – Create Client Account & Maintenance Online Training Course Individual accounts (called a Client Account) are subsets of the Site.

Automatic and Precise Client-Side Protection against CSRF Attacks.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

How To Recover Cox Account?. Reset Your Cox Account You can reset your Cox Password or recover your Cox User ID with your address.

Setting and Upload Products

Unit & District Tools Phase 1

Building Secure ColdFusion Applications

Web Application Vulnerabilities

An Introduction to Web Application Security

To the ETS – Accounts Setup and Preferences Online Training Course

Welcome! To the ETS – Create Client Account & Maintenance

World Wide Web policy.

Ofer Shezaf, CTO, Breach Security

How to register and use ODMAP for Fire/EMS and other partners

MIS Professor Sandvig MIS 324 Professor Sandvig

Ways to Secure CMS Websites. The most widely used Content Management Systems are Wordpress, Joomla and Drupal as per statistics. The highest CMS platforms.

Automatic and Precise Client-Side Protection against CSRF Attacks

Auditing Etsy The Security of Etsy

Welcome and thank you for choosing SharkGate

Riding Someone Else’s Wave with CSRF

Cross-Site Request Forgery (CSRF) Attack Lab

Computer Security.

TaxSlayer Multi-Factor Authentication (MFA)

To the ETS – Accounts Setup and Preferences Online Training Course

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Google Account Recovery Process

Cross Site Request Forgery (CSRF)

Presentation transcript:

Cross-Site Request Forgeries: Exploitation and Prevention William Zeller / Edward W. Felten Princeton University Overview How CSRF Attacks Work Exploits We Discovered Client-Side Solution Our work: Demonstrates attacks against four high-profile sites Provides a browser plugin to protect users Provides instructions and sample code showing websites and web frameworks how to protect themselves Large Bank* Transferring money out of user bank accounts Creating checking accounts on behalf of users Large Newspaper Site Identifying user email addresses for spamming or identification Large Media Site Adding videos to user’s “Favorites” Adding attacker as user’s “Friend” Sending arbitrary messages on user’s behalf Automatically shared videos with user’s contacts, Etc, etc. Large Community Site Taking control of user accounts by: Changing user email address “Friending” user to determine user name Entering user name on “Forgot Password” page which causes a new password of the attacker’s choosing to be created Implemented as a plugin for the Firefox web browser Blocks all cross domain post requests Gives users the option of white-listing Implements Adobe’s Cross Domain policy (ie, if cross-domain requests work with Flash, they’ll work with the plugin) Could easily be extended to other browsers Does not prevent attacks against sites that allow GET requests to cause trusted actions to be taken User Web Browser Trusted Site Authenticated Session Trusted Action The Web Browser has established an authenticated session with Trusted Site. Trusted Action should only be performed when an authenticated web browser makes the request. Introduction to CSRF User Web Browser Trusted Site Authenticated Session Trusted Action Cross-Site Request Forgeries (CSRF) Are a type of Web-based vulnerability Occur when a malicious web site causes a user’s browser to perform some action on a trusted site (using GET or POST requests) Require user to visit attacker’s site Have been called “the Sleeping Giant” of attacks Are easy to prevent once understood Are extremely prevalent on the Internet today Are not prevented by SSL Are possible even when Javascript is turned off (if the attacker can use GET requests to cause trusted actions to be taken) Server-Side Solution Sets nonce in form field and in cookie Only allow POST requests if values match Attacker can set form field values, but not cookie values Recommended for web frameworks (Code Igniter, Ruby on Rails, etc) Automates CSRF protection Removes CSRF protection from responsibility of web developer Implemented solution for Code Igniter Legacy web sites protected without modification Appears to be scheduled for inclusion in next release Example of a valid request. The Web Browser attempts to perform a Trusted Action. The Trusted Site confirms that the Web Browser is authenticated and allows the action to be performed. User Web Browser Trusted Site Authenticated Session Trusted Action Attacking Site Example of a CSRF attack. The Attacking Site causes the browser to send a request to the Trusted Site. The Trusted Site sees a valid, authenticated Web Browser and performs the Trusted Action. *Names removed while paper is in-submission