© 2014 Imperva, Inc. All rights reserved.
CUSRF | It’s Pronounced “See You Surf”
and It’s Dangerous
Amichai Shulman, CTO, ...
© 2014 Imperva, Inc. All rights reserved.
Agenda
2
§  CSRF brief intro
§  CUSRF: A close encounter with CSRF of the thir...
© 2014 Imperva, Inc. All rights reserved.
Amichai Shulman – CTO, Imperva
3
§  Speaker at Industry Events
•  RSA, Appsec, ...
© 2014 Imperva, Inc. All rights reserved.
The Motivation:
Protecting Your ID in a Hostile
Online Environment
4
© 2014 Imperva, Inc. All rights reserved.
Privacy on the Web: An Uphill Battle?
5
Source: www.askingsmarterquestions.com
© 2014 Imperva, Inc. All rights reserved.
Privacy Can Be Achieved Through Anonymity
6
Source: www.antiquaprintgallery.com
© 2014 Imperva, Inc. All rights reserved.
Privacy Can Be Achieved Through Anonymity
7
Source: www.antiquaprintgallery.com
© 2014 Imperva, Inc. All rights reserved.
CUSRF Vulnerability Opens Your
Social Kimono!
§  CUSRF (pronounced “See You Sur...
© 2014 Imperva, Inc. All rights reserved.
CSRF Intro
9
© 2014 Imperva, Inc. All rights reserved.
SOP Threat Model
Communication
Custom Code
Accounts
Finance
Administration
Trans...
© 2014 Imperva, Inc. All rights reserved.
SOP Threat Model
Communication
Custom Code
Accounts
Finance
Administration
Trans...
© 2014 Imperva, Inc. All rights reserved.
SOP Threat Model
Communication
Custom Code
Accounts
Finance
Administration
Trans...
© 2014 Imperva, Inc. All rights reserved.
CSRF Illustrated: “Bypassing SOP”
Attacker sets the trap on some website on the ...
© 2014 Imperva, Inc. All rights reserved.
CSRF Illustrated: “Bypassing SOP”
Attacker sets the trap on some website on the ...
© 2014 Imperva, Inc. All rights reserved.
CSRF Illustrated: “Bypassing SOP”
3
Attacker sets the trap on some website on th...
© 2014 Imperva, Inc. All rights reserved.
CSRF
§  The “Confused Deputy” Problem
•  Web browsers automatically include acc...
© 2014 Imperva, Inc. All rights reserved.
CSRF Type I: Classic CSRF
17
§  The “Transfer Fund” attack
§  Attacker tricks ...
© 2014 Imperva, Inc. All rights reserved.
CSRF Type II: Login CSRF
§  The attacker mounts a CSRF attack that logs the vic...
© 2014 Imperva, Inc. All rights reserved.
CSRF Type II: Login CSRF
§  The attacker mounts a CSRF attack that logs the vic...
© 2014 Imperva, Inc. All rights reserved.
CSRF Type II: Login CSRF
§  The attacker mounts a CSRF attack that logs the vic...
© 2014 Imperva, Inc. All rights reserved.
CSRF is Very Relevant
Source: WhiteHat Security
21
© 2014 Imperva, Inc. All rights reserved.
CSRF is Very Relevant
Source: WhiteHat Security
22
© 2014 Imperva, Inc. All rights reserved.
CUSRF:
A Close Encounter With CSRF
of the Third Kind
23
© 2014 Imperva, Inc. All rights reserved.
CSRF Type III: CUSRF
24
§  A new type of CSRF, bringing CSRF to Web 2.0
environ...
© 2014 Imperva, Inc. All rights reserved.
Web 2.0: It’s All About Collaboration
25
§  “A Web 2.0 site may allow users to ...
© 2014 Imperva, Inc. All rights reserved.
CUSRF Explained
26
§  The attacker forges collaboration requests on behalf of
t...
© 2014 Imperva, Inc. All rights reserved.
CUSRF in the Wild 1:
LinkedIn Profile
27
© 2014 Imperva, Inc. All rights reserved.
Attack Setup: Creating a LinkedIn Profile
28
§  Attacker sets up a LinkedIn acc...
© 2014 Imperva, Inc. All rights reserved.
Attack Setup: Settings
29
§  In order to view the identity of profile visitors,...
© 2014 Imperva, Inc. All rights reserved.
Attack Setup: CSRF Page
30
§  Attacker adds an invisible CSRF link referencing ...
© 2014 Imperva, Inc. All rights reserved.
Launching the Attack
31
§  When the intended
target visits the CSRF
page:
•  Th...
© 2014 Imperva, Inc. All rights reserved.
Resolving “Semi Anonymous Profiles”
32
§  Victim can choose to share only “prof...
© 2014 Imperva, Inc. All rights reserved.
Resolving “Semi Anonymous Profiles”
33
§  In 2013, Linkedininsights.com had dem...
© 2014 Imperva, Inc. All rights reserved.
A Smelly Red Herring
34
Source: www.linkedinsights.com
© 2014 Imperva, Inc. All rights reserved.
CUSRF in the Wild 2:
Google Docs
35
© 2014 Imperva, Inc. All rights reserved.
Attack Setup: Creating a Google Doc
36
§  Attacker (“honeymadhatter”)
shares he...
© 2014 Imperva, Inc. All rights reserved.
Attack Setup: CSRF Page
37
§  Attacker adds an invisible CSRF link referencing ...
© 2014 Imperva, Inc. All rights reserved.
Launching the Attack
38
§  When the intended target visits the CSRF page:
•  Th...
© 2014 Imperva, Inc. All rights reserved.
Google’s Response
39
© 2014 Imperva, Inc. All rights reserved.
Mitigations
40
© 2014 Imperva, Inc. All rights reserved.
Consumers
41
§  Logout more!
§  Use stricter privacy settings for vulnerable a...
© 2014 Imperva, Inc. All rights reserved.
Platform Providers
§  Use standard CSRF protections
•  Don’t allow a collaborat...
© 2014 Imperva, Inc. All rights reserved.
Platform Providers
§  Single request collaboration, within same domain can be
s...
© 2014 Imperva, Inc. All rights reserved.
MS Seems to Get It Right
44
© 2014 Imperva, Inc. All rights reserved.
Summary & Conclusion
45
© 2014 Imperva, Inc. All rights reserved.
Summary
46
§  CSRF vulnerabilities of various types are common
within applicati...
© 2014 Imperva, Inc. All rights reserved.
Recommendations
47
§  Consumers
•  Review privacy settings for collaboration pl...
© 2014 Imperva, Inc. All rights reserved.
Webinar Materials
48
Post-Webinar
Discussions
Answers to
Attendee
Questions
Webi...
© 2014 Imperva, Inc. All rights reserved.
www.imperva.com
49
Upcoming SlideShare
Loading in …5
×

CUSRF | It's Pronounced "See You Surf" and It's Dangerous

1,124
-1

Published on

Cross USer Request Forgery (CUSRF: pronounced "See You Surf") is a new and emerging type of Cross-Site Request Forgery (CSRF) attack that affects users of collaboration platforms and applications, such as LinkedIn and Google Docs.

CUSRF exploits vulnerabilities in social networks to reveal a victim's true identity. Due to special technical characteristics of CUSRF attacks, most traditional counter-measures are irrelevant to the attack's mitigation. This presentation will:
- Give a brief intro of CSRF
- Examine the anatomy of a CUSRF attack, with examples
- Discuss mitigation techniques for both consumers and platform providers

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,124
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
40
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CUSRF | It's Pronounced "See You Surf" and It's Dangerous

  1. 1. © 2014 Imperva, Inc. All rights reserved. CUSRF | It’s Pronounced “See You Surf” and It’s Dangerous Amichai Shulman, CTO, Imperva 1
  2. 2. © 2014 Imperva, Inc. All rights reserved. Agenda 2 §  CSRF brief intro §  CUSRF: A close encounter with CSRF of the third kind §  CUSRF explained §  Vulnerable applications in the wild §  Google Docs §  Linkedin.com §  Mitigations §  Summary and conclusion
  3. 3. © 2014 Imperva, Inc. All rights reserved. Amichai Shulman – CTO, Imperva 3 §  Speaker at Industry Events •  RSA, Appsec, Info Security UK, Black Hat §  Lecturer on Information Security •  Technion - Israel Institute of Technology §  Former security consultant to banks & financial services firms §  Leads the Application Defense Center (ADC) •  Discovered over 20 commercial application vulnerabilities §  Credited by Oracle, MS-SQL, IBM and others One of InfoWorld’s “Top 25 CTOs”
  4. 4. © 2014 Imperva, Inc. All rights reserved. The Motivation: Protecting Your ID in a Hostile Online Environment 4
  5. 5. © 2014 Imperva, Inc. All rights reserved. Privacy on the Web: An Uphill Battle? 5 Source: www.askingsmarterquestions.com
  6. 6. © 2014 Imperva, Inc. All rights reserved. Privacy Can Be Achieved Through Anonymity 6 Source: www.antiquaprintgallery.com
  7. 7. © 2014 Imperva, Inc. All rights reserved. Privacy Can Be Achieved Through Anonymity 7 Source: www.antiquaprintgallery.com
  8. 8. © 2014 Imperva, Inc. All rights reserved. CUSRF Vulnerability Opens Your Social Kimono! §  CUSRF (pronounced “See You Surf”) •  Cross USer Request Forgery §  Web sites you visit can see your privates: •  In real-time •  Name, email, work place, title, etc. §  Potential outcomes: •  “Ice Hole Phishing”: e.g. infect only certain roles in a specific organization. •  Display different price •  Disinformation 8
  9. 9. © 2014 Imperva, Inc. All rights reserved. CSRF Intro 9
  10. 10. © 2014 Imperva, Inc. All rights reserved. SOP Threat Model Communication Custom Code Accounts Finance Administration Transactions KnowledgeMgmt E-Commerce Bus.Functions Target Application Attacker sets the trap on some website on the internet1 Some interaction with victim site 10
  11. 11. © 2014 Imperva, Inc. All rights reserved. SOP Threat Model Communication Custom Code Accounts Finance Administration Transactions KnowledgeMgmt E-Commerce Bus.Functions Target Application Attacker sets the trap on some website on the internet1 2 While logged into vulnerable site, victim views attacker site Target site interaction Some interaction with victim site 11
  12. 12. © 2014 Imperva, Inc. All rights reserved. SOP Threat Model Communication Custom Code Accounts Finance Administration Transactions KnowledgeMgmt E-Commerce Bus.Functions Target Application 3 Vulnerable site sees legitimate request from victim, performs the requested action and sends a response Attacker sets the trap on some website on the internet1 2 While logged into vulnerable site, victim views attacker site Target site interaction Some interaction with victim site 12
  13. 13. © 2014 Imperva, Inc. All rights reserved. CSRF Illustrated: “Bypassing SOP” Attacker sets the trap on some website on the internet (or simply via an e-mail) 1 Custom Code Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions Hidden <img> tag contains attack against vulnerable site Application with CSRF vulnerability 13
  14. 14. © 2014 Imperva, Inc. All rights reserved. CSRF Illustrated: “Bypassing SOP” Attacker sets the trap on some website on the internet (or simply via an e-mail) 1 Hidden <img> tag contains attack against vulnerable site 2 While logged into vulnerable site, victim views attacker site <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site 14
  15. 15. © 2014 Imperva, Inc. All rights reserved. CSRF Illustrated: “Bypassing SOP” 3 Attacker sets the trap on some website on the internet (or simply via an e-mail) 1 Vulnerable site sees legitimate request from victim and performs the requested action Custom Code Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions Hidden <img> tag contains attack against vulnerable site Application with CSRF vulnerability 2 While logged into vulnerable site, victim views attacker site <img> tag loaded by browser – sends GET request (including credentials) to vulnerable site 15
  16. 16. © 2014 Imperva, Inc. All rights reserved. CSRF §  The “Confused Deputy” Problem •  Web browsers automatically include access tokens with each request •  Requests can be invoked by malicious sites from victim’s browser without user consent §  Automatically Provided Tokens: Session cookie, basic authentication header, IP address, client side SSL certificates, Windows domain authentication 16
  17. 17. © 2014 Imperva, Inc. All rights reserved. CSRF Type I: Classic CSRF 17 §  The “Transfer Fund” attack §  Attacker tricks the browser into issuing a “transfer funds” request to the attacker’s account §  “/transferFund.jsp?To=<attacker>&Sum=10000000” Attack Type Used credentials Interacts with Classic CSRF Victim’s Victim’s web account
  18. 18. © 2014 Imperva, Inc. All rights reserved. CSRF Type II: Login CSRF §  The attacker mounts a CSRF attack that logs the victim into an attacker controlled account (sink account) §  “signin.jsp?user=<attacker>&password=123456” §  Later on, the attacker is able to track the victim’s activity in the sink account §  e.g. log the victim to attacker’s controlled Google account to collect search history 18
  19. 19. © 2014 Imperva, Inc. All rights reserved. CSRF Type II: Login CSRF §  The attacker mounts a CSRF attack that logs the victim into an attacker controlled account (sink account) §  “signin.jsp?user=<attacker>&password=123456” §  Later on, the attacker is able to track the victim’s activity in the sink account §  e.g. log the victim to attacker’s controlled Google account to collect search history Attack Type Used credentials Interacts with Classic CSRF Victim’s Victim’s web account Login CSRF Attacker’s Attacker web account 19
  20. 20. © 2014 Imperva, Inc. All rights reserved. CSRF Type II: Login CSRF §  The attacker mounts a CSRF attack that logs the victim into an attacker controlled account (sink account) §  “signin.jsp?user=<attacker>&password=123456” §  Later on, the attacker is able to track the victim’s activity in the sink account §  e.g. log the victim to attacker’s controlled Google account to collect search history 20
  21. 21. © 2014 Imperva, Inc. All rights reserved. CSRF is Very Relevant Source: WhiteHat Security 21
  22. 22. © 2014 Imperva, Inc. All rights reserved. CSRF is Very Relevant Source: WhiteHat Security 22
  23. 23. © 2014 Imperva, Inc. All rights reserved. CUSRF: A Close Encounter With CSRF of the Third Kind 23
  24. 24. © 2014 Imperva, Inc. All rights reserved. CSRF Type III: CUSRF 24 §  A new type of CSRF, bringing CSRF to Web 2.0 environment §  “Cross USer Request Forgery” (CUSRF, pronounced “See You Surf”) attack §  Composition of the known CSRF vulnerability types, for collaboration environment
  25. 25. © 2014 Imperva, Inc. All rights reserved. Web 2.0: It’s All About Collaboration 25 §  “A Web 2.0 site may allow users to interact and collaborate with each other in a social media dialogue as creators of user-generated content in a virtual community” (Source: Wikipedia) Source: http://conceptart.ca
  26. 26. © 2014 Imperva, Inc. All rights reserved. CUSRF Explained 26 §  The attacker forges collaboration requests on behalf of the victim •  Similar to the “Classic CSRF” §  The collaboration target is located on an attacker controlled account •  Similar to the “Login CSRF” §  Outcome: Attacker can reveal the victim’s social network identity Attack Type Used credentials Interacts with Classic CSRF Victim’s Victim’s web account Login CSRF Attacker’s Attacker’s web account CUSRF Victim’s Attacker’s web account
  27. 27. © 2014 Imperva, Inc. All rights reserved. CUSRF in the Wild 1: LinkedIn Profile 27
  28. 28. © 2014 Imperva, Inc. All rights reserved. Attack Setup: Creating a LinkedIn Profile 28 §  Attacker sets up a LinkedIn account
  29. 29. © 2014 Imperva, Inc. All rights reserved. Attack Setup: Settings 29 §  In order to view the identity of profile visitors, the attacker can either: •  Go “Pro” •  Make their “LinkedIn” identity available to others
  30. 30. © 2014 Imperva, Inc. All rights reserved. Attack Setup: CSRF Page 30 §  Attacker adds an invisible CSRF link referencing the attacker’s LinkedIn profile to their online asset §  Asset can be: •  A “watering hole” page •  A “phishing” page •  Etc.
  31. 31. © 2014 Imperva, Inc. All rights reserved. Launching the Attack 31 §  When the intended target visits the CSRF page: •  The attacker discovers his identity (“Tal Be’ery”) instantly §  Can act accordingly: •  e.g. infect him personally with a “drive by download“ infection
  32. 32. © 2014 Imperva, Inc. All rights reserved. Resolving “Semi Anonymous Profiles” 32 §  Victim can choose to share only “profile characteristics” •  e.g “Engineer in Imperva” §  This is the default setting §  Sometimes that’s enough information for the attacker
  33. 33. © 2014 Imperva, Inc. All rights reserved. Resolving “Semi Anonymous Profiles” 33 §  In 2013, Linkedininsights.com had demonstrated a bypass §  Linkedin “Red Herring” Module showed list of 10 possible “candidates” for the “Semi Anonymous Profiles” §  One was the actual person; others were just “Red Herrings” §  The problem: “Red Herrings” were randomized, actual person was not §  Exploit: Attacker should view the “candidates” list twice and mark the overlapping item
  34. 34. © 2014 Imperva, Inc. All rights reserved. A Smelly Red Herring 34 Source: www.linkedinsights.com
  35. 35. © 2014 Imperva, Inc. All rights reserved. CUSRF in the Wild 2: Google Docs 35
  36. 36. © 2014 Imperva, Inc. All rights reserved. Attack Setup: Creating a Google Doc 36 §  Attacker (“honeymadhatter”) shares her doc with targeted account(s) (“sam.burekas”) §  Only needs to know the targets’ email §  No email is sent, as the option can be unchecked
  37. 37. © 2014 Imperva, Inc. All rights reserved. Attack Setup: CSRF Page 37 §  Attacker adds an invisible CSRF link referencing to the attacker’s Google Doc to their online asset §  Asset can be •  A “watering hole” page •  A “phishing” page •  Etc. §  Invisible link example: •  “<script src = " https://docs.google.com/document/d/<some doc id>/edit"></ script>”
  38. 38. © 2014 Imperva, Inc. All rights reserved. Launching the Attack 38 §  When the intended target visits the CSRF page: •  The attacker uncovers victim’s identity (“sam.burekas”) instantly §  Can act accordingly: e.g. infect victim with malware
  39. 39. © 2014 Imperva, Inc. All rights reserved. Google’s Response 39
  40. 40. © 2014 Imperva, Inc. All rights reserved. Mitigations 40
  41. 41. © 2014 Imperva, Inc. All rights reserved. Consumers 41 §  Logout more! §  Use stricter privacy settings for vulnerable applications •  Full anonymity for LinkedIn §  Use personal Anti CSRF add-ons to block cross-site requests •  RequestPolicy •  CsFire •  NoScript
  42. 42. © 2014 Imperva, Inc. All rights reserved. Platform Providers §  Use standard CSRF protections •  Don’t allow a collaboration based on a single request from other domain §  Other domains can be determined by HTTP headers •  Referer •  Origin 42
  43. 43. © 2014 Imperva, Inc. All rights reserved. Platform Providers §  Single request collaboration, within same domain can be secured with a CSRF token •  Changing, un-guessable, unique identifier appended to the request §  Libraries exist to include this functionality in the code •  http://anticsrf.codeplex.com/ (.NET) •  https://www.owasp.org/index.php/ Category:OWASP_CSRFGuard_Project (Java, PHP, .NET) 43
  44. 44. © 2014 Imperva, Inc. All rights reserved. MS Seems to Get It Right 44
  45. 45. © 2014 Imperva, Inc. All rights reserved. Summary & Conclusion 45
  46. 46. © 2014 Imperva, Inc. All rights reserved. Summary 46 §  CSRF vulnerabilities of various types are common within applications §  CUSRF is a new type of CSRF that affects users of collaboration platforms and applications •  Disclosing the true identity of a victim, when accessing an attacker controlled application §  CUSRF can be used for fraud as well as “Ice Hole Phishing”
  47. 47. © 2014 Imperva, Inc. All rights reserved. Recommendations 47 §  Consumers •  Review privacy settings for collaboration platforms §  Providers •  Apply anti-CSRF mechanisms to collaboration activity
  48. 48. © 2014 Imperva, Inc. All rights reserved. Webinar Materials 48 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
  49. 49. © 2014 Imperva, Inc. All rights reserved. www.imperva.com 49
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×