Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross Site Request Forgery New Attacks and Defenses

Published byKory Boyd Modified over 5 years ago

Similar presentations

Presentation on theme: "Cross Site Request Forgery New Attacks and Defenses"— Presentation transcript:

1 Cross Site Request Forgery New Attacks and Defenses
Collin Jackson Stanford University (206) Joint work with Adam Barth and John C. Mitchell 6/25/2008

2 Outline CSRF Defined Attacks Using Login CSRF Existing CSRF Defenses CSRF Defense Proposal Identity Misbinding

3 Threat Models Forum Poster Web Attacker Network Attacker
Injects content onto trusted site Sanitized (hopefully) Web Attacker Owns Free user visit Network Attacker Eavesdrop/corrupt normal traffic Cannot eavesdrop/corrupt HTTPS

4 Browser vs. Web Attacker
Isolate sites Sites can opt in to sharing information Prevent attacker from Abusing user’s IP address Reading browser state associated with other sites Writing browser state associated with other sites

5 Browser Security Policy
Same-origin policy <iframe src=" <script> alert(frames[0].document.cookie); </script> Library import <script src=" Data export <form action="

6 Problems with Data Export
Abusing user’s IP address Can issue commands to servers inside firewall Reading browser state Can issue requests with cookies attached Writing browser state Can issue requests that cause cookies to be overwritten “Session riding” is a misleading name

7 Cross-Site Request Forgery

8 Login CSRF

9 Payments Login CSRF

10 Payments Login CSRF

11 Payments Login CSRF

12 Payments Login CSRF

13 Inline Gadgets

14 Using Login CSRF for XSS

15 Post-XSS

16 Secret Validation Token
CSRF Defenses Secret Validation Token Referer Validation Custom HTTP Header <input type=hidden value=23a3af01b> Referer: X-Requested-By: XMLHttpRequest

17 Secret Validation Token vs. Web Attacker
Hash of User ID Attacker can forge Session ID Save to HTML does allow session hijacking Session-Independent Nonce (Trac) Can be overwritten by subdomains, network attackers Session-Dependent Nonce (CSRFx, CSRFGuard) Requires managing a state table HMAC of Session ID No extra state required <input type=hidden value=23a3af01b>

18 Keeping Secrets in NoForge
Parses HTML and appends token to hyperlinks Dynamically created HTML lacks token Legacy application may break unexpectedly Token appended to all external links Remote site can immediately CSRF referrer No login CSRF defense Requires a session before token is validated

19   ? Referer Validation Referer: http://www.facebook.com/
Lenient Referer checking – header is optional Strict Referer checking – header is required Referer: Referer: ? Referer:

20 Why use Lenient Referer Checking?
Referer may leak privacy-sensitive information projects/iphone/competitors.html Common sources of blocking: Network stripping by the organization Network stripping by local machine Stripped by browser for HTTPS -> HTTP transitions User preference in browser Buggy user agents Site cannot afford to block these users

21 Lenient Referer Checking vs. Web Attacker
ftp:// javascript:"<script> /* CSRF */ </script>" data:text/html,<script> /* CSRF */ </script> … and many more Lenient Referer Checking is not secure! Don’t use it! Referer: M. Johns '06

22 Is Strict Referer Checking Feasible?
283,945 advertisement impressions from 163,767 IP addresses

23 XMLHttpRequest is for same-origin requests
Custom Header XMLHttpRequest is for same-origin requests Can use setRequestHeader within origin Limitations on data export format No setRequestHeader equivalent XHR2 has a whitelist for cross-site requests Issue POST requests via AJAX: No secrets required X-Requested-By: XMLHttpRequest

24 Can browsers help sites with CSRF?
Does not break existing sites Easy to use Allows legitimate cross-site requests Reveals minimum amount of information No secrets to leak Standardized

25 Proposal: Origin Header
Privacy Identifies only principal that initiated the request (not path or query) Sent only for POST requests; following hyperlink reveals nothing Usability Authorize subdomains and affiliate sites with simple firewall rule No need to manage secret token state Can use redundantly with existing defenses to support legacy browsers Standardization Supported by W3C XHR2 and JSONRequest Expected in IE8’s XDomainRequest SecRule REQUEST_HEADERS:Host !^www\.example\.com(:\d+)?$ deny,status:403 SecRule REQUEST_METHOD ^POST$ chain,deny,status:403 SecRule REQUEST_HEADERS:Origin !^(https?://www\.example\.com(:\d+)?)?$

26 User is logged in to trusted site as attacker
Identity Misbinding User is logged in to trusted site as attacker Does not always require login CSRF OpenID PHP Cookieless Authentication “Secure” cookies

27 Web Attacker vs. OpenID

28 Web Attacker vs. PHP Cookieless Authentication

29 Network Attacker vs. “Secure” Cookies
Need a browser-based solution Cookie-Integrity Mitigation: Don’t allow self-XSS over HTTPS

30 Conclusions Beware of: OK: State-modifying GET requests Login CSRF
Lenient Referer checking Sloppy secret token validation OpenID without binding to browser PHP cookieless authentication User opt-in to self-XSS (especially over HTTPS) OK: Careful secret token validation Strict Referer checking over HTTPS Custom headers

Download ppt "Cross Site Request Forgery New Attacks and Defenses"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Session Management Dan Boneh CS 142 Winter 2009. Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.

Session Management Dan Boneh CS 142 Winter Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Beware of Finer-Grained Origins

Beware of Finer-Grained Origins
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.

Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google