Presentation is loading. Please wait.

Presentation is loading. Please wait.

Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko Cross-Site-Request-Forgery.

Published byClemence Rogers Modified over 8 years ago

Similar presentations

Presentation on theme: "Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko Cross-Site-Request-Forgery."— Presentation transcript:

1 Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko Cross-Site-Request-Forgery

2 CSRF Overview Forces user to send unauthorized requests by interacting with a malicious website. The “sleeping giant” of all cyber security threats. Can force someone to transfer money, change status on social networking site, buy stock, or any other action on a vulnerable website an attacker would like to exploit.

3 CSRF Overview

4 Original Project Plan Week 2: Reading and Preparation Gain a better understanding of csrf attack mechanisms Weeks 3-4: Perform Simple CSRF Attacks Develop testbed and exploit generated site Weeks 5-7: Implement Defense Mechanisms Referrer-checking, reconfirmation, any others Weeks 8-9: Final Preparation Finalize project, conference paper, presentation

5 Alterations to the Plan Reconfirmation protection method Recon value to be based of off the trace path Trace path would not work since it would just go back to the user's browser. Would be unable to compare trace path of user and attack since both would lead to same machine. CCNC Conference Decided to submit paper to CCNC instead of ACM hotnets. Social Networking specification – had to find exploits in well-known social networks to present.

6 Test Bed Application Stock trading application Registered users can buy and sell stock based on prices from Yahoo Finance. Utilizes an AJAX request to retrieve stock information in real time Does not implement any CSRF protection methods – allowed us to concentrate on CSRF without the presence of XSS.

7 Test Bed Application

8 Sample Attack This attack uses Chris Shiflett’s CSRF Redirector. The CSRF Redirector creates a form with all the necessary inputs that submits to the target application on the vulnerable website.

9 Discovered Vulnerabilities Hi5.com—Yahoo’s Social Networking Website Change Profile Skin Change Status Add Applications Sharebuilder.com—ING’s Online Stock Brokerage Buy/Sell shares of stock Requires 2 requests for attack

10 Referer Privacy Guard Firefox extension that disorders browsing history Will encourage more users to send Referer Headers Sends “garbage” requests to random URLs from user’s browsing history http://sourceforge.net/projects/refererprivacyg/ Our extension is on SourceForge available for download SVN repository for developers set up

11 CSRF Signature Detection Preview page content in sandboxed manner Don’t allow any state-changing requests until content is checked Find deep links and compare to URL in address bar Allow users to whitelist domain pairs Preview linked content—images, iframes Block forms with only “hidden” inputs Block self-submitting forms unless user approves

12 Conclusions CSRF can be prevented User: Log out and clear cookies often Developer Make sure website not vulnerable to XSS Use form tokens and use them wisely Check Referer header Lenient for now Possibly strict when privacy issue resolved

13 Conclusions CSRF can be detected While application specific, certain features are similar Limited number of tags and Javascript functions that can be used to implement and disguise attack Hidden and self-submitting forms have little practical use Whitelisting of trusted sites for user convenience

14 Questions

Download ppt "Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko Cross-Site-Request-Forgery."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.

TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.

AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Similar presentations

Ads by Google