Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross-Site Request Forgeries: Exploitation and Prevention

Published byKristin Richardson Modified over 5 years ago

Similar presentations

Presentation on theme: "Cross-Site Request Forgeries: Exploitation and Prevention"— Presentation transcript:

1 Cross-Site Request Forgeries: Exploitation and Prevention
William Zeller / Edward W. Felten Princeton University Overview How CSRF Attacks Work Exploits We Discovered Client-Side Solution Our work: Demonstrates attacks against four high-profile sites Provides a browser plugin to protect users Provides instructions and sample code showing websites and web frameworks how to protect themselves Large Bank* Transferring money out of user bank accounts Creating checking accounts on behalf of users Large Newspaper Site Identifying user addresses for spamming or identification Large Media Site Adding videos to user’s “Favorites” Adding attacker as user’s “Friend” Sending arbitrary messages on user’s behalf Automatically shared videos with user’s contacts, Etc, etc. Large Community Site Taking control of user accounts by: Changing user address “Friending” user to determine user name Entering user name on “Forgot Password” page which causes a new password of the attacker’s choosing to be created Implemented as a plugin for the Firefox web browser Blocks all cross domain post requests Gives users the option of white-listing Implements Adobe’s Cross Domain policy (ie, if cross-domain requests work with Flash, they’ll work with the plugin) Could easily be extended to other browsers Does not prevent attacks against sites that allow GET requests to cause trusted actions to be taken User Web Browser Trusted Site Authenticated Session Trusted Action The Web Browser has established an authenticated session with Trusted Site. Trusted Action should only be performed when an authenticated web browser makes the request. Introduction to CSRF User Web Browser Trusted Site Authenticated Session Trusted Action Cross-Site Request Forgeries (CSRF) Are a type of Web-based vulnerability Occur when a malicious web site causes a user’s browser to perform some action on a trusted site (using GET or POST requests) Require user to visit attacker’s site Have been called “the Sleeping Giant” of attacks Are easy to prevent once understood Are extremely prevalent on the Internet today Are not prevented by SSL Are possible even when Javascript is turned off (if the attacker can use GET requests to cause trusted actions to be taken) Server-Side Solution Sets nonce in form field and in cookie Only allow POST requests if values match Attacker can set form field values, but not cookie values Recommended for web frameworks (Code Igniter, Ruby on Rails, etc) Automates CSRF protection Removes CSRF protection from responsibility of web developer Implemented solution for Code Igniter Legacy web sites protected without modification Appears to be scheduled for inclusion in next release Example of a valid request. The Web Browser attempts to perform a Trusted Action. The Trusted Site confirms that the Web Browser is authenticated and allows the action to be performed. User Web Browser Trusted Site Authenticated Session Trusted Action Attacking Site Example of a CSRF attack. The Attacking Site causes the browser to send a request to the Trusted Site. The Trusted Site sees a valid, authenticated Web Browser and performs the Trusted Action. *Names removed while paper is in-submission

Download ppt "Cross-Site Request Forgeries: Exploitation and Prevention"

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Using the Self Service BMC Helpdesk

Using the Self Service BMC Helpdesk
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
1 Unit & District Tools Phase 1. 2 To access the new Unit and District Tools, you will need to click on the link embedded in the MyScouting Flash page.

1 Unit & District Tools Phase 1. 2 To access the new Unit and District Tools, you will need to click on the link embedded in the MyScouting Flash page.
TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.

TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
New School Websites Teacher Pages. Visit the SCUSD Website for videos tutorials: www.scusd.edu/website-training-teachers For more information.

New School Websites Teacher Pages. Visit the SCUSD Website for videos tutorials: For more information.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Live Support A “receptionist” on your website (typing) Can answer questions Transfer calls to different departments Take messages Automatically “push”

Live Support A “receptionist” on your website (typing) Can answer questions Transfer calls to different departments Take messages Automatically “push”

Similar presentations

Ads by Google