CSRF: Not All Defenses Are Created Equal
Ari Elias-Bachrach
Defensium llc
November 2013

CSRF: Not All Defenses Are Create...
This Talk is a Review of Current Defensive Options

Or the long tail?

Is your application
one of the 80%

CSRF: Not All D...
This Talk Will Cover CSRF Defenses and Their Side Effects
What is CSRF

General (high level) fixes

Code level defenses

S...
CSRF occurs when an attacker tricks a user's browser
into performing an action on a website

CSRF: Not All Defenses Are Cr...
Normally, Browser's Form Submissions are Straightforward
and Predictable

<form action=submitpage>
<input name= amount typ...
Normally, Browser's Form Submissions are Straightforward
and Predictable
If action was a POST
POST /submitpage
Server: ser...
If you can predict all the parameters for an action,
you can fake it

To Fake a GET
<img src=”...”>
http://server.com/subm...
If you can predict all the parameters for an action,
you can fake it
To Fake a POST
<form name=”evil” action=”http://serve...
Anatomy of an Attack
1. User navigates to website which attacker has some
control over
2. User's browser tries to load con...
Anatomy of an Attack
<html>
Malicious code

Legitimate site
Session cookie

CSRF: Not All Defenses Are Created Equal

10
In 2008, A CSRF flaw Was Used to Attack Cable Modems
Found a CSRF flaw in
ADSL modems used by a
Brazilian ISP
Used it to C...
High Level Defenses (Design Patterns)

CSRF: Not All Defenses Are Created Equal

12
There are Four Design Patterns Which are Used
Synchronizer Token Pattern

Double Submit Cookies

Challenge Response

Check...
Primary Defense is the Synchronizer Token Pattern
The most common defense
Make at least one parameter unpredictable
Upon s...
Primary Defense is the Synchronizer Token Pattern
The most common defense
Things to look out for
- How are tokens remember...
Second Defensive Option is Double Submit Cookies
This option used less often, but useful for things like REST
Generate a r...
Second Defensive Option is Double Submit Cookies
This option used less often, but useful for things like REST
Things to lo...
A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense

CSRF: Not All Defenses A...
A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense

CSRF: Not All Defenses A...
A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense

CSRF: Not All Defenses A...
A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense

CSRF: Not All Defenses A...
A Third Option is Any Form of Challenge Response System
Rarely Used Exclusively for CSRF Defense
Things to look out for:
-...
A Fourth Option is to Check the Referrer Header
I Have Never Seen This Implemented
GET /services/transfer.jsp HTTP/1.1
Hos...
A Fourth Option is to Check the Referrer Header
I Have Never Seen This Implemented
Things to look out for:
- Potential imp...
Actually Implementing These Patterns is Where it Gets Fun
and Complicated

Code Fixes

Server Fixes

CSRF: Not All Defense...
We Will Show Five Common Software Libraries That Can Be
Used To Do CSRF Defense

1. ViewState User Keys (.net)
2. AntiForg...
.net can add CSRF protections to the ViewState
Viewstate is meant to maintain a form's state on postbacks

Page.aspx

CSRF...
.net can add CSRF protections to the ViewState
Adding the session ID
to the view state
makes it unpredictable

sessionID

...
.net can add CSRF protections to the ViewState
Add to OnInit for all pages or once to base class
protected override OnInit...
.net can add CSRF protections to the ViewState
Viewstate User Keys was designed to protect against 1
click attacks, which ...
.net MVC Applications Can Use AntiForgeryToken

What about .net MVC?
AntiForgeryToken
- Part of the HtmlHelper class

CSRF...
.net MVC Applications Can Use AntiForgeryToken

<% using(Html.Form("UserProfile", "SubmitUpdate")) { %>
<%= Html.AntiForge...
.net MVC Applications Can Use AntiForgeryToken
Validate the token in the controller
[ValidateAntiForgeryToken]
public Acti...
.net MVC Applications Can Use AntiForgeryToken
By Default, will only work for POST

Not a problem if GET is idempotent

Ca...
.net MVC Applications Can Use AntiForgeryToken
Obvious problem: the forgetful programmer

- must add to every controller a...
Anticsrf for .net implements the double submit cookies pattern
Anticsrf
- For .net
- Has no other requirements (like views...
Anticsrf for .net implements the double submit cookies pattern
Generates string using Guid.NewGuid()
Cookie: __CSRFCOOKIE=...
Anticsrf for .net implements the double submit cookies pattern
Can be used in a .net web app
New Token for each session
On...
CSRFGuard Implements the Synchronizer Token Pattern and
Makes a New Token For Each Session
Made By OWASP (open source, BSD...
CSRFGuard Implements the Synchronizer Token Pattern and
Makes a New Token For Each Session

Modifies existing GET and POST...
CSRFGuard Can Also be Configured to Generate a New
Token For Each Page

Each link or action would get a unique token value...
CSRFGuard Can Also be Configured to Generate a New
Token For Each Page

Also supports AJAX

Sets the token
value in an HTT...
HDIV Uses Tokens With a Queue Based Expiry
HDIV is a Java library that provides
several security functions, including
CSRF...
These Five Libraries All Have Different Approaches To CSRF
Defense
ViewState User Keys (.net)

Synchronizer Token Pattern
...
These Five Libraries All Have Different Approaches To CSRF
Defense
CSRFGuard (Java)

Synchronizer Token Pattern
- can be d...
We Can Also Implement CSRF Protection on the Server

Changing code on existing applications is hard

What if we asked the ...
Tomcat 7 Includes a CSRF Prevention Filter
Generates a new UUID for each page loaded
- default generator is java.security....
Tomcat's CSRF Prevention Filter Can Cause Usability Issues
for User's With Multiple Browser Tabs Open
User opens a second ...
F5's ASM Can Insert a Token in All Links and Forms to
Implement the Synchronizer Token Pattern

<form action=”foo”>

<a hr...
F5's ASM Can Insert a Token in All Links and Forms to
Implement the Synchronizer Token Pattern
Will protect all GET and PO...
Imperva SecureSphere Can Detect CSRF Attacks by
Checking the Referrer Header
SecureSphere (Imperva's WAF) can alert and bl...
Imperva SecureSphere Can Detect CSRF Attacks by
Checking the Referrer Header

The referrer header is not respected in all ...
All Three Of The Servers We Looked At Do CSRF Defense
Differently
Synchronizer Token Pattern
- Queue based expiry
Synchron...
CSRF Token Names Can Reveal What Library You Are Using

CSRF: Not All Defenses Are Created Equal

54
CSRF Token Names Can Reveal What Library You Are Using

CSRF: Not All Defenses Are Created Equal

55
CSRF Token Names Can Reveal What Library You Are Using

Tomcat

CSRFGuard

513 results

126,000 results

CSRF: Not All Def...
CSRF Token Names Can Reveal What Library You Are Using

Almost all of the solutions we've
mentioned that use tokens allow ...
A single XSS flaw makes all of these CSRF defenses useless

There are numerous ways for a script to access the CSRF
token ...
Protecting GET Requests Comes At A Cost

CSRF tokens can be leaked through the
referer header, and can be reused if they'r...
We Have Seen Seven Widely Used Implementations of CSRF
Defense
Know your defenses – which solution you select will depend
...
We Have Seen Seven Widely Used Implementations of CSRF
Defense
Know your defenses – which solution you select will depend
...
CSRF: Not All Defenses Are Created Equal
Ari Elias-Bachrach
ari@defensium.com
@angelofsecurity
Defensium llc
http://www.de...
Upcoming SlideShare
Loading in...5
×

Csrf not-all-defenses-are-created-equal

2,445

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,445
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Request.Params versus Request.Form – param does GET r POST, form does only POST
  • Csrf not-all-defenses-are-created-equal

    1. 1. CSRF: Not All Defenses Are Created Equal Ari Elias-Bachrach Defensium llc November 2013 CSRF: Not All Defenses Are Created Equal 1
    2. 2. This Talk is a Review of Current Defensive Options Or the long tail? Is your application one of the 80% CSRF: Not All Defenses Are Created Equal 2
    3. 3. This Talk Will Cover CSRF Defenses and Their Side Effects What is CSRF General (high level) fixes Code level defenses Server level defenses CSRF: Not All Defenses Are Created Equal 3
    4. 4. CSRF occurs when an attacker tricks a user's browser into performing an action on a website CSRF: Not All Defenses Are Created Equal 4
    5. 5. Normally, Browser's Form Submissions are Straightforward and Predictable <form action=submitpage> <input name= amount type=text> <input name=dest type=text> <input type=submit value=Transfer> </form> CSRF: Not All Defenses Are Created Equal 5
    6. 6. Normally, Browser's Form Submissions are Straightforward and Predictable If action was a POST POST /submitpage Server: server.com amount=100.00&dest=12345 If action was a GET GET /submitpage?amount=100.00&dest=12345 Server: server.com CSRF: Not All Defenses Are Created Equal 6
    7. 7. If you can predict all the parameters for an action, you can fake it To Fake a GET <img src=”...”> http://server.com/submitpage?amount=100.00&dest=12345 http://webmail.com/sendEmail?dest=boss@work&subj=resignation CSRF: Not All Defenses Are Created Equal 7
    8. 8. If you can predict all the parameters for an action, you can fake it To Fake a POST <form name=”evil” action=”http://server.com/submitpage” action=POST> <input type=”hidden” name=”amount” value=”100.00”> <input type=”hidden” name=”dest” value=”12345”> </form> <script>document.evil.submit()</script> CSRF: Not All Defenses Are Created Equal 8
    9. 9. Anatomy of an Attack 1. User navigates to website which attacker has some control over 2. User's browser tries to load content from site 3. Content performs action at a legitimate site CSRF: Not All Defenses Are Created Equal 9
    10. 10. Anatomy of an Attack <html> Malicious code Legitimate site Session cookie CSRF: Not All Defenses Are Created Equal 10
    11. 11. In 2008, A CSRF flaw Was Used to Attack Cable Modems Found a CSRF flaw in ADSL modems used by a Brazilian ISP Used it to Change DNS settings Sent users to malicious websites that looked like www.google.br CSRF: Not All Defenses Are Created Equal 11
    12. 12. High Level Defenses (Design Patterns) CSRF: Not All Defenses Are Created Equal 12
    13. 13. There are Four Design Patterns Which are Used Synchronizer Token Pattern Double Submit Cookies Challenge Response Check Referrer Header CSRF: Not All Defenses Are Created Equal 13
    14. 14. Primary Defense is the Synchronizer Token Pattern The most common defense Make at least one parameter unpredictable Upon submission, check to ensure the submitted value matches the generated value <input type="hidden" name="FromEmail" value="president@whitehouse.gov" /> <input type="hidden" name="Subject" value="Do something wild" /> <input type="hidden" name="GUID" value="0f41d8e54aa80b3193c28ed920" /> CSRF: Not All Defenses Are Created Equal 14
    15. 15. Primary Defense is the Synchronizer Token Pattern The most common defense Things to look out for - How are tokens remembered? - Completeness of coverage CSRF: Not All Defenses Are Created Equal 15
    16. 16. Second Defensive Option is Double Submit Cookies This option used less often, but useful for things like REST Generate a random value, store it in two places: 1 – a cookie 2 – a hidden form field Upon submission, check to see if they match abc123 <input>=abc123 abc123 <input> abc123 CSRF: Not All Defenses Are Created Equal 16
    17. 17. Second Defensive Option is Double Submit Cookies This option used less often, but useful for things like REST Things to look out for: - Do not use the Session ID for this purpose! abc123 <input>=abc123 abc123 <input> abc123 CSRF: Not All Defenses Are Created Equal 17
    18. 18. A Third Option is Any Form of Challenge Response System Rarely Used Exclusively for CSRF Defense CSRF: Not All Defenses Are Created Equal 18
    19. 19. A Third Option is Any Form of Challenge Response System Rarely Used Exclusively for CSRF Defense CSRF: Not All Defenses Are Created Equal 19
    20. 20. A Third Option is Any Form of Challenge Response System Rarely Used Exclusively for CSRF Defense CSRF: Not All Defenses Are Created Equal 20
    21. 21. A Third Option is Any Form of Challenge Response System Rarely Used Exclusively for CSRF Defense CSRF: Not All Defenses Are Created Equal 21
    22. 22. A Third Option is Any Form of Challenge Response System Rarely Used Exclusively for CSRF Defense Things to look out for: - User impact CSRF: Not All Defenses Are Created Equal 22
    23. 23. A Fourth Option is to Check the Referrer Header I Have Never Seen This Implemented GET /services/transfer.jsp HTTP/1.1 Host: mybank.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: */* Accept-Language: en-US,en;q=0.5 Referer: http://t.co/xblu14l6vL Cookie: JSESSIONID=007f0100547a514c54060044; CSRF: Not All Defenses Are Created Equal 23
    24. 24. A Fourth Option is to Check the Referrer Header I Have Never Seen This Implemented Things to look out for: - Potential impact on other things which may modify the referer header CSRF: Not All Defenses Are Created Equal 24
    25. 25. Actually Implementing These Patterns is Where it Gets Fun and Complicated Code Fixes Server Fixes CSRF: Not All Defenses Are Created Equal 25
    26. 26. We Will Show Five Common Software Libraries That Can Be Used To Do CSRF Defense 1. ViewState User Keys (.net) 2. AntiForgeryToken (.net MVC) 3. AntiCSRF (.net) 4. CSRFGuard (Java, PHP port is in progress) 5. HDIV (Java) CSRF: Not All Defenses Are Created Equal 26
    27. 27. .net can add CSRF protections to the ViewState Viewstate is meant to maintain a form's state on postbacks Page.aspx CSRF: Not All Defenses Are Created Equal Page.aspx 27
    28. 28. .net can add CSRF protections to the ViewState Adding the session ID to the view state makes it unpredictable sessionID CSRF: Not All Defenses Are Created Equal 28
    29. 29. .net can add CSRF protections to the ViewState Add to OnInit for all pages or once to base class protected override OnInit(EventArgs e) { base.OnInit(e); if (User.Identity.IsAuthenticated) ViewStateUserKey = Session.SessionID; } CSRF: Not All Defenses Are Created Equal 29
    30. 30. .net can add CSRF protections to the ViewState Viewstate User Keys was designed to protect against 1 click attacks, which are a subset of CSRF attacks Only protects postbacks - Won't protect posts to other pages Other.aspx Page.aspx Other.aspx CSRF: Not All Defenses Are Created Equal 30
    31. 31. .net MVC Applications Can Use AntiForgeryToken What about .net MVC? AntiForgeryToken - Part of the HtmlHelper class CSRF: Not All Defenses Are Created Equal 31
    32. 32. .net MVC Applications Can Use AntiForgeryToken <% using(Html.Form("UserProfile", "SubmitUpdate")) { %> <%= Html.AntiForgeryToken() %> <!-- rest of form goes here --> <input name="__RequestVerificationToken" type="hidden" value="saTFWpkKN0BYazFtN6c4YbZAmsEwG0srqlUqqloi/fVgeV2ciIFVmelv zwRZ" /> CSRF: Not All Defenses Are Created Equal 32
    33. 33. .net MVC Applications Can Use AntiForgeryToken Validate the token in the controller [ValidateAntiForgeryToken] public ActionResult FunctionToProtect() { // this is now run only if the token is valid } CSRF: Not All Defenses Are Created Equal 33
    34. 34. .net MVC Applications Can Use AntiForgeryToken By Default, will only work for POST Not a problem if GET is idempotent Can be hacked to work, google for details CSRF: Not All Defenses Are Created Equal 34
    35. 35. .net MVC Applications Can Use AntiForgeryToken Obvious problem: the forgetful programmer - must add to every controller and function that needs to be protected CSRF: Not All Defenses Are Created Equal 35
    36. 36. Anticsrf for .net implements the double submit cookies pattern Anticsrf - For .net - Has no other requirements (like viewstate enabled, MVC, etc.) - Open source - Developed in C# Available from http://anticsrf.codeplex.com/ CSRF: Not All Defenses Are Created Equal 36
    37. 37. Anticsrf for .net implements the double submit cookies pattern Generates string using Guid.NewGuid() Cookie: __CSRFCOOKIE=a22b81af-74f0-45ee-b2fd-1ead5f31f1c2; in POST __CSRFTOKEN=a22b81af-74f0-45ee-b2fd-1ead5f31f1c2 abc123 <input>=abc123 abc123 <input> abc123 CSRF: Not All Defenses Are Created Equal 37
    38. 38. Anticsrf for .net implements the double submit cookies pattern Can be used in a .net web app New Token for each session Only protects POST (not a problem if GET is idempotent) - Won't work for Rest (unless you hack it) abc123 <input>=abc123 abc123 <input> abc123 CSRF: Not All Defenses Are Created Equal 38
    39. 39. CSRFGuard Implements the Synchronizer Token Pattern and Makes a New Token For Each Session Made By OWASP (open source, BSD license) Java currently, PHP and .net port in progress Keeps one token per session, stored in the session - exposure of token compromises entire session CSRF: Not All Defenses Are Created Equal 39
    40. 40. CSRFGuard Implements the Synchronizer Token Pattern and Makes a New Token For Each Session Modifies existing GET and POST requests Keeps one token per session, stored in the session - exposure of token compromises entire session CSRF: Not All Defenses Are Created Equal link=nonce1 action=nonce1 40
    41. 41. CSRFGuard Can Also be Configured to Generate a New Token For Each Page Each link or action would get a unique token value Stored in session Feature is still experimental link=page?nonce1 action=page2?nonce2 CSRF: Not All Defenses Are Created Equal 41
    42. 42. CSRFGuard Can Also be Configured to Generate a New Token For Each Page Also supports AJAX Sets the token value in an HTTP header CSRF: Not All Defenses Are Created Equal 42
    43. 43. HDIV Uses Tokens With a Queue Based Expiry HDIV is a Java library that provides several security functions, including CSRF defense using the Synchronizer Token Pattern. The queue includes all generated tokens (could be dozens per page). link=page?nonce1 action=page2?nonce2 CSRF: Not All Defenses Are Created Equal 43
    44. 44. These Five Libraries All Have Different Approaches To CSRF Defense ViewState User Keys (.net) Synchronizer Token Pattern - only postbacks AntiForgeryToken (.net MVC) Synchronizer Token Pattern - needs lots of code changes AntiCSRF (.net) Double Submit Cookies - only protects POST CSRF: Not All Defenses Are Created Equal 44
    45. 45. These Five Libraries All Have Different Approaches To CSRF Defense CSRFGuard (Java) Synchronizer Token Pattern - can be done per session or page HDIV Synchronizer Token Pattern - per link/action - queue based expiry CSRF: Not All Defenses Are Created Equal 45
    46. 46. We Can Also Implement CSRF Protection on the Server Changing code on existing applications is hard What if we asked the server to do CSRF protection CSRF: Not All Defenses Are Created Equal 46
    47. 47. Tomcat 7 Includes a CSRF Prevention Filter Generates a new UUID for each page loaded - default generator is java.security.SecureRandom) Protects GET and POST - modifies links and form actions Stores the last n UUIDs in the session - default for n is 5 link=nonce1 http://server/page?org.apache.catalina.filters.CSRF_NONCE=31ACB2CA0A9... CSRF: Not All Defenses Are Created Equal 47
    48. 48. Tomcat's CSRF Prevention Filter Can Cause Usability Issues for User's With Multiple Browser Tabs Open User opens a second tab (same session, same cookies, etc.) Makes n mouse clicks (default n is 5) Original tab is now broken nonce1 CSRF: Not All Defenses Are Created Equal nonce2 nonce3 nonce4 nonce5 nonce6 48
    49. 49. F5's ASM Can Insert a Token in All Links and Forms to Implement the Synchronizer Token Pattern <form action=”foo”> <a href=”bar”> <form action=”foo”> <input type=”hidden” value=”12345”> <a href=”bar?csrt=12345”> CSRF: Not All Defenses Are Created Equal 49
    50. 50. F5's ASM Can Insert a Token in All Links and Forms to Implement the Synchronizer Token Pattern Will protect all GET and POST requests Token are generated per session, and have an expiry time (configurable from 1-99999 seconds). Default is 600 seconds Obvious problem of timeouts CSRF: Not All Defenses Are Created Equal 50
    51. 51. Imperva SecureSphere Can Detect CSRF Attacks by Checking the Referrer Header SecureSphere (Imperva's WAF) can alert and block when the referrer header of a request is from an external site GET /services/transfer.jsp HTTP/1.1 Host: mybank.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept-Language: en-US,en;q=0.5 Referer: http://t.co/xblu14l6vL Cookie: JSESSIONID=007f0100547a514c54060044; CSRF: Not All Defenses Are Created Equal 51
    52. 52. Imperva SecureSphere Can Detect CSRF Attacks by Checking the Referrer Header The referrer header is not respected in all situations Bookmarks, links from external sites, and plugins that stop or tamper with the referrer header can all cause false positives CSRF: Not All Defenses Are Created Equal 52
    53. 53. All Three Of The Servers We Looked At Do CSRF Defense Differently Synchronizer Token Pattern - Queue based expiry Synchronizer Token Pattern - Time based expiry Check Referrer Header - Is intended for detection, not prevention CSRF: Not All Defenses Are Created Equal 53
    54. 54. CSRF Token Names Can Reveal What Library You Are Using CSRF: Not All Defenses Are Created Equal 54
    55. 55. CSRF Token Names Can Reveal What Library You Are Using CSRF: Not All Defenses Are Created Equal 55
    56. 56. CSRF Token Names Can Reveal What Library You Are Using Tomcat CSRFGuard 513 results 126,000 results CSRF: Not All Defenses Are Created Equal 56
    57. 57. CSRF Token Names Can Reveal What Library You Are Using Almost all of the solutions we've mentioned that use tokens allow you to customize the name of the token Some require you to edit source code to do it... CSRF: Not All Defenses Are Created Equal 57
    58. 58. A single XSS flaw makes all of these CSRF defenses useless There are numerous ways for a script to access the CSRF token value document.cookie document.getElementByID('csrftoken') document.forms[0].elements[0] CSRF: Not All Defenses Are Created Equal 58
    59. 59. Protecting GET Requests Comes At A Cost CSRF tokens can be leaked through the referer header, and can be reused if they're still valid GET /page HTTP/1.1 Host: othersite.com Referer: http://mysite.com/page?CSRF_TOKEN=1ba5690d4ea45fbab3 CSRF: Not All Defenses Are Created Equal 59
    60. 60. We Have Seen Seven Widely Used Implementations of CSRF Defense Know your defenses – which solution you select will depend on your application How many of these solutions were perfect? Security is rarely 'plug n play' CSRF: Not All Defenses Are Created Equal 60
    61. 61. We Have Seen Seven Widely Used Implementations of CSRF Defense Know your defenses – which solution you select will depend on your application Environment and language used Whether this is a new app or a retrofit of an old one Idempotence Potential user impact of some solutions CSRF: Not All Defenses Are Created Equal 61
    62. 62. CSRF: Not All Defenses Are Created Equal Ari Elias-Bachrach ari@defensium.com @angelofsecurity Defensium llc http://www.defensium.com CSRF: Not All Defenses Are Created Equal 62
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×