Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robust Defenses for Cross-Site Request Forgery

Published byEgbert Reeves Modified over 8 years ago

Similar presentations

Presentation on theme: "Robust Defenses for Cross-Site Request Forgery"— Presentation transcript:

1 Robust Defenses for Cross-Site Request Forgery
Adam Barth, Collin Jackson, John C. Mitchell Stanford University, published on CCS ’08 Presented by: HAN Jin

2 Outline What is CSRF? What is Login CSRF? Existing Defenses
Secret Validation Token The Referer Header Custom HTTP Headers Proposal: Origin Header Session Initialization Conclusion

3 Outline What is CSRF? What is Login CSRF? Existing Defenses
Secret Validation Token The Referer Header Custom HTTP Headers Proposal: Origin Header Session Initialization Conclusion

4 What is CSRF? Cross-site request forgery (CSRF), also known as one-click attack or session riding In a CSRF attack, a malicious site instructs a victim's browser to send a request to an honest site, as if the request were part of the victim's interaction with the honest site. A typical example

5 A Typical CSRF attack <img src="

6 CSRF Harmfulness Gmail CSRF vulnerability in 2007:
Forward all of David Airey’s to the attacker, allowed attacker to control davidairey.com 18 million users of eBay's Internet Auction Co. at Auction.co.kr in Korea lost personal information in February 2008 An active exploit of CSRF against residential ADSL routers in Mexico in early 2008 An with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to change the DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server

7 CSRF Defined In CSRF attack, the attacker disrupts the integrity
of the session user  a web site by injecting network requests via the user’s browser (the browser’s security policy allows web sites to send HTTP requests to any network address) This policy allows an attacker that controls content not otherwise under his or her control: Network Connectivity (behind firewall) Read Browser State (cookie, certificate) Write Browser State (set cookie)

8 In-Scope Threats (of CSRF)
Forum Poster sites permit users to submit passive content, such as images and hyperlinks. Web Attacker own domain name (e.g attacker.com), valid HTTPS certificate ($10), user visit attacker.com Network Attacker control user’s network connection. E.g. evil roter, compromised DNS server Out-of-Scope Threats Cross-site scripting (XSS), Malware, DNS Rebinding, Certificate Errors, Phishing, User Tracking

9 Outline What is CSRF? What is Login CSRF? Existing Defenses
Secret Validation Token The Referer Header Custom HTTP Headers Proposal: Origin Header Session Initialization Conclusion

10 Login CSRF attack

11 Outline What is CSRF? What is Login CSRF? Existing Defenses
Secret Validation Token The Referer Header Custom HTTP Headers Proposal: Origin Header Session Initialization Conclusion

12 Secret Validation Token
send additional information in each HTTP request which can be used to determine whether the request came from an authorized source can defend login CSRF difficult to implement, forget to implement before login, no session to bind the CSRF token the site must: first create a “pre-session” implement token-based CSRF protection and then transit to a real session after succesful authentication

13 Token Design Case Study: NoForge Session Identifier
user reveal the contents of web pages via or uploading the web page  token revealed Session-Independent Nonce fails to protect against Active Network Attackers, who can overwrite the Session-Independent Nonce Session-dependent Nonce site has to maintain large state table in order to validate the tokens HMAC of Session Identifier Case Study: NoForge difficulty & complexity to implement Secret Validation Token

14 Secret Validation Token
can defend login CSRF difficult to implement

15 Outline What is CSRF? What is Login CSRF? Existing Defenses
Secret Validation Token The Referer Header Custom HTTP Headers Proposal: Origin Header Session Initialization Conclusion

16 The Referer Header The Referer (?) header contains the URL of the site making the request E.g. Referer: A site can defend itself against CSRF attacks by checking whether the request was issued by itself Privacy E.g. reveals contents of search queries info about corporate intranets might leak Strictness Lenient Referer validation (wrong-reject, lack-accept) Strict Refer validation (wrong-reject, lack-reject)

17 Interesting Story Referer is a common misspelling of the word referrer. It is so common, in fact, that it made it into the official specification of HTTP – the communication protocol of the World Wide Web – and has therefore become a widely used industry spelling when discussing HTTP referrers

18 Empirical Study To evaluate the compatibility of Strict Referer Validation Requests with a Missing or Incorrect Referer Header The “x” and “y” represent the domain names of the primary and secondary web servers, respectively. (283,945 observations)

19 Discussion on results Cross-domain > same-domain HTTP > HTTPS
Referer header > document.referer Referer header is usually suppressed in the network and not in the browser (firewall, proxy, router…)

20 Outline What is CSRF? What is Login CSRF? Existing Defenses
Secret Validation Token The Referer Header Custom HTTP Headers Proposal: Origin Header Session Initialization Conclusion

21 Custom HTTP Headers Custom HTTP headers can prevent CSRF
because the browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest The cookie value is not actually required, the presence of the header is sufficient A site must issue all state-modifying requests using XMLHttpRequest, attach the custom header reject all state-modifying requests without the header

22 Outline What is CSRF? What is Login CSRF? Existing Defenses
Secret Validation Token The Referer Header Custom HTTP Headers Proposal: Origin Header Session Initialization Conclusion

23 Proposal: Origin Header
propose modifying browsers to send a Origin header with POST requests that identifies the origin that initiated the request Privacy (Improves Referer header) URL: only scheme, host, port sent only for POST, prevent accidental leakage Similar to four other proposals that identify the initiator of a request. Adopted by several working groups

24 Origin header Implementation:
Browser side: 8-line patch to WebKit, the open source component of Safari 466-line extension to Firefox Server side: a web application firewall for CSRF in three lines of ModSecurity (a web application firewall language for Apache)

25 Outline What is CSRF? What is Login CSRF? Existing Defenses
Secret Validation Token The Referer Header Custom HTTP Headers Proposal: Origin Header Session Initialization Conclusion

26 Session Initialization
Login CSRF is one example of a more general class of vulnerabilities in session initialization Topics not covered in this presentation: Two types of session initialization vul.: Authenticated as User Authenticated as Attacker Two common approaches to mount attack HTTP Request Cookie Overwriting

27 Outline What is CSRF? What is Login CSRF? Existing Defenses
Secret Validation Token The Referer Header Custom HTTP Headers Proposal: Origin Header Session Initialization Conclusion

28 Long term  Origin header
Conclusion Different defenses for different use cases: Login CSRF  strict Referer validation login forms typically submit over HTTPS HTTPS sites  strict Referer validation such as banking sites Third-party Content  secret token validation spend the engineering effort to implement (HMAC token) Long term  Origin header Privacy, both HTTP & HTTPS, no secret tokens leakage

Download ppt "Robust Defenses for Cross-Site Request Forgery"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Beware of Finer-Grained Origins

Beware of Finer-Grained Origins
AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.

AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google