Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic and Precise Client-Side Protection against CSRF Attacks

Published byCecily Barnett Modified over 5 years ago

Similar presentations

Presentation on theme: "Automatic and Precise Client-Side Protection against CSRF Attacks"— Presentation transcript:

1 Automatic and Precise Client-Side Protection against CSRF Attacks
Philippe De Ryck, Lieven Desmet, Wouter Joosen, Frank Piessens

2 Outline Cross-site Request Forgery (CSRF)
Client-side Protection against CSRF Client-Side Request Filtering Request Filtering Policy Formal Evaluation Practical Evaluation Conclusion 13/11/2018

3 Cross-Site Request Forgery
13/11/2018

4 Cross-site Request Forgery
Cross-site Request Forgery can be used to … take over your blog modify your YouTube account obtain your address steal your money W. Zeller and E. Felten, Cross-site Request Forgeries: Exploitation and Prevention, Technical Report, October 2008 13/11/2018

5 Normal surfing scenario
Open “My Insecure Bank” (GET User (Browser) Web Server Some welcome page Login to the bank (POST user=Philippe, pass=bleh) Login successful (Set cookie) Execute wire transfer (POST to= , amount=100) Wire transfer executed 13/11/2018

6 CSRF Attack Scenario Web Server www.mib.com
Already authenticated with “My Insecure Bank” User (Browser) Execute wire transfer (POST to= , amount=100) Wire transfer executed Web Server lolcats.com Browsing for LOLcats (GET lolcats.com/top10) Page of LOLcats with an embedded CSRF attack Continue “being productive” More LOLcats 13/11/2018

7 CSRF Payload <iframe id=“frame” style=“width=0px;height=0px;border=0px”></iframe> <script> var html = “”; html+ = “<form id=‘form’ method=‘post’ action=‘ html += “<input type=‘hidden’ name=‘to’ value=‘ ’>”; html += “<input type=‘hidden’ name=‘amount’ value=‘99999’>”; html += “</form>”; document.getElementById(“frame”).contentDocument.body.innerHTML = html; document.getElementById(“form”).submit(); </script> 13/11/2018

8 Client-Side Protection against CSRF
13/11/2018

9 Client-Side Countermeasures (1)
Several browser add-ons available Collect information from browser Make a decision for each request Mitigation: blocking or stripping request Examples: NoScript ABE Request Policy CsFire 13/11/2018

10 Client-Side Countermeasures (2)
Current client-side countermeasures Affect each cross-origin request Very secure Negative impact on usability Experience from CsFire (33,000+ downloads) Limited impact on usability A few cross-origin scenarios break Currently addressed by central/local policies 13/11/2018

11 Cross-Origin Scenarios
Examples: Payment Providers, Single sign-on Hard to distinguish Often look like CSRF attacks Intention of user/site is unknown Current status Broken by all client-side countermeasures Can be addressed using specific policy rules 13/11/2018

12 Cross-Origin Scenario – Payment
13/11/2018

13 Cross-Origin Scenario – SSO
13/11/2018

14 State of Client-Side Countermeasures
CSRF Payment SSO NoScript ABE RequestPolicy CsFire < 1.0 13/11/2018

15 Client-side Request Filtering
13/11/2018

16 Idea behind the Client-side Policy
Site A can delegate control to site B E.g. when B is a payment provider When B is finished, control is transferred back to A E.g. when the payment is complete and A needs to complete the transaction Detect delegation to B and allow B to return to A 13/11/2018

17 Idea behind the Client-side Policy (2)
Strip all cross-origin requests unless it is an expected request A request from B to A is expected if A previously delegated to B Delegation from A to B occurs if A issues a POST request to B or if A redirects to B using a parametrized URI 13/11/2018

18 Delegation Illustrated
Cross-Origin Parametrized Redirect Cross-Origin POST 13/11/2018

19 Assumption of Delegation
Can an attacker delegate control? POST request By form submission or using XHR Requires script injection (which trumps CSRF) Parametrized Redirect By injecting server-side code (total compromise) Using an open redirect (direct attack possible, so no point in using a delegation and expected request) Limit expected requests to single GET 13/11/2018

20 State from Previous Request
Client-side Policy State from Previous Request Redirect? no yes yes sameOrigin(ctx,dst) sameOrigin(last,dst) no no Expected? yes yes no State from Origin No State 13/11/2018

21 Cross-Origin Scenario – Payment
13/11/2018

22 Cross-Origin Scenario – SSO
13/11/2018

23 Cross-Origin Scenario – Attacks
13/11/2018

24 Formal Evaluation Formal model of policy Analysis results
First for client-side CSRF countermeasure Gives strong security guarantees Base model by Akhawe et al. [1] Analysis results Bounded scope: 9 HTTP events, 4 origins, … No CSRF scenarios found Functional scenarios are possible [1] Devdatta Akhawe, Adam Barth, Peifung E. Lam, John Mitchell, and Dawn Song. Towards a formal foundation of web security. Computer Security Foundations. Symposium, IEEE, 0:290–304, 2010. 13/11/2018

25 Practical Evaluation Implementation as extension of CsFire
Tested against benchmark of CSRF scenarios Different attack vectors: HTML, CSS, JS, redirect, … Tested on real-life functional scenarios 13/11/2018

26 State of Client-Side Countermeasures
CSRF Payment SSO NoScript ABE RequestPolicy CsFire < 1.0 CsFire >= 1.0 13/11/2018

27 Evaluating Delegation in Real-Life Traffic
Only two cases with unverifiable delegation In Total: % of origins Redirecting search engines (6.05 % of requests) URL shorteners (1.37 % of requests) Category % of requests Third Party Service Mashups 52.95% Multi-Origin Websites 25.27% Content Aggregators 14.97% URL Shorteners 1.37% False Positives 2.20% Others (unclassified) 3.24% Total number of delegations 100.00% 13/11/2018

28 Conclusion 13/11/2018

29 Conclusion Client-side CSRF countermeasure Delegation between sites
Improved balance usability and security Support for cross-origin collaborations Formal evaluation of the policy Delegation between sites Experimentally evaluated Minor compromise on security 13/11/2018

30 CsFire – Mozilla Add-Ons
13/11/2018

Download ppt "Automatic and Precise Client-Side Protection against CSRF Attacks"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.

Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.
Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.

Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack

Similar presentations

Ads by Google