Your SlideShare is downloading. ×
OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013


Published on

Abdullah Ulber works at Banan IT as a senior software architect, web developer and education manager. He looks back to more than ten years of professional software development, specialising in web …

Abdullah Ulber works at Banan IT as a senior software architect, web developer and education manager. He looks back to more than ten years of professional software development, specialising in web applications based on ASP.NET MVC, HTML5 and Silverlight. He is a keen follower of all trends in the web world and enjoys passing on his knowledge in captivating presentations and courses.

Outside his work, he is an organising member of the OWASP local chapter in Khartoum.

Before his move to Sudan, Abdullah was the co-organiser of the Swiss Olympiad in Informatics and the team leader of the Swiss delegation to the International Olympiads in Informatics from 1998 to 2005.

He holds a master’s degree in computer science from ETH Zurich.

This session was held on Saturday 12/01/2013. Check our best shots from the event on our Facebook group:

Published in: Technology
1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Use official flyer to connect with the invitation, start with something familiar.
  • Graduated at ETH Zurich in 1996.SOI team leader and co-organiser from 1998 to 2005.Moved to Sudan in 2005.Since 2012 working as a volunteer at OWASP Khartoum.
  • Explain how this session is aligned with OWASP’s mission.Highlight “visible” -> demos, diagrams“decisions” -> requires knowledge and understanding
  • OWASP is not “Hogwarts School of Witchcraft And Wizardry” (from Harry Potter), or in security terms, it is not a workshop for wanna-be hackers. We are not teaching how to break into websites, but how to protect yourself and your web sites. We are “the good guys” rather than “the bad guys”.And there is a second reason why OWASP is not “Hogwarts School of Witchcraft And Wizardry”: whatever we teach is not witchcraft or magic at all. In this session, I will go to great lengths to explain exactly how everything works.Image:
  • There is on final point to clarify before we jump into the real subject.Explain that “OWASP does not endorse or recommend commercial products or services” (from am using FireFox and ASP.NET simply because I am familiar with both and because they serve my purpose, that’s all. It does not mean that either product is superior to other products. Everything that I demonstrate works equally well with any other browser and any other server-side technology.
  • Introduce a break before Protections or before Effective Protections
  • Here I could connect CSRF to myself, how I learnt about it and how it impressed me at that time. This also connects the audience to the speaker and adds a personal touch.Intro slide: tell how I came to meet CSRF and how shocking it was. All my previous web apps were vulnerable of course. Kind of fell in love with CSRF. Simple yet dangerous and profound. There is so much more to it than what meets the eye. Everybody knows XSS but hardly anyone knows CSRF. Time to change this!
  • CSRF, XCRF,Session Surfing, Sea SurfCSRF coined in 2001 by Peter WatkinsImage: Surfer:
  • The easiest way to introduce CSRF is with a demo.
  • Image:
  • The MITRE Corporation: = Common Vulnerabilities and Exposures:
  • “Numbers represent search volume”Contrast with XSS and SQL Injection.
  • “Let’s be clear here. Just because interest is falling does not mean the threat is gone. Both attacks are as dangerous as always and you have to protect against them.”
  • “It is terribly easy to manipulate with statistics. Therefore, to be fair, let’s compare CSRF directly with XSS and SQL Injection”
  •“Analysis of 15 million cyber attacks by FireHost users found XSS, directory traversals, SQL injections, and cross-site request forgery (CSRF) attacks to be the most serious and frequent and are part of FireHost's 'Superfecta' group. In Q3 of 2012, XSS and CSRF represented 64 per cent of attacks in this group.The report claimed that XSS is now the most common attack type, with more than one million XSS attacks blocked during this period alone, a rise from 603,016 separate attacks in Q2 to 1,018,817 in Q3. There were 843,517 CSRF attacks reported.”
  • Image:
  • = فديةFocus in oneThe size of the stolen data: 18 millionLargest online shopping siteDemand for ransom
  • global financial institution ( )“the CSRF bug […] found on represents one of the first publicly disclosed CSRF flaws on a bank site. ”“The CSRF bug they found on ING’s site would have let an attacker move funds from the victim’s account to another account ”
  • certain cases, the LIKE and become a friend function could be executed via CSRF.Bridge: All the previous news reports are pretty old. Does that mean web sites have become more secure now? Well, think again, here are brand new article, again from facebook.
  • Amazon: manipulate recently bought books
  • Image:
  • Image:
  • Image:
  • No popups, no alerts, no unusual behaviours, totally silentImage: image:
  • No special tools or deep knowledge necessary.No need for sniffing, no need for access to traffic in the middle.Image:
  • CSRF penetrates areas that are considered secure: Intranet and admin areasTell story about cat ladders that are sometimes hard to believe that a cat can actually use it.
  • A video to diversify the media.
  • Image:
  • Counterintuitive: admin areas feel safe, so they are many times not appropriately secured.
  • Reason for underestimation: hard to detect attacks taking place. They look like legitimate accesses.Compare this for example to XSS and SQLi: both leave identifiable traces in the request and in the server.Underestimated in two senses of the word:Not taking the risk seriouslyNot accurately reflected in statistics (due to being hard to detect)Image:
  • All of the characteristics described so far are bad enough, it gets worse: here is the reason why CSRF is truly evil and so powerful.Compare with XSS, SQL injection: protection by default (out of the box)Compare with HIV/AIDS prevention: three elements are necessary:Awareness of the threatKnowledge about the protectionActual use of protectionAdd that with HIV prevention, an even better protection is of course a monogamous relationship. However, the web world is by its nature completely promiscuous.Image:
  • Bridge: to be able to protect yourself or your web site from CSRF, we need to learn first how CSRF actually works.Image:
  • Build up the diagram piece by piece. Mention that the beginning might be terribly simple but no worries, it will get more involved later on Image:
  • Mention: less interesting in the context of CSRF since GET is (should be) idempotent (= no changes on the server)
  • For POST, image of a form and arrows from the fields to the internet
  • Show first diagram.This is the state of the Internet at its very beginning => very simple.Point out something strange: how does facebook know who I am? How does it know on which wall to post? => need for identity.
  • A user identity is just a random number.Mention that session id is the technical term.
  • Overlay: domains (keep it simple: no need to mention subdomains, etc)Images:
  • This slide introduces the baseline diagram that is used in several of the following slides. Make sure that the audience understands its components.
  • Give a demo with traffic inspector here => audience can see real traffic for the first time, including GET, POST and cookies
  • Explain the problem and mention the confused deputy
  • “poor man’s CSRF”: but many times succeeds!Via image, iframe, script (GET)Nearly same diagram as with POSTIMG SRC  <imgsrc="http://host/?command">  SCRIPT SRC  <script src="http://host/?command">  IFRAME SRC  <iframesrc="http://host/?command">
  • Demo: carry out the initial attack and this time show the traffic. Show real headers
  • Image:
  • Point out spelling mistake?On the face of it, thereferer header would be the best and most natural protection that would do away with all CSRF attacks immediately. The number onereason why CSRF works is because the server has no way to know from which page a request came. It only sees the identifying cookie and is happy with it. Explain, demo: show in network inspectorDiscuss privacy issue with refererImage: letter with sender’s address
  • Mention how much info can be inside a typical SharePoint URL.Image:
  • Diagram to explain tracking sites and how they gain their information.
  • Then demonstrate with Collusion Collusion does NOT yet work with FF 18 (as of 12.1.2013).Make sure you run the demo on
  • “Unless you actively protect yourself, your privacy is seriously violated in the internet.”Bridge: fortunately, there are any number of add-ons that block the Referer header. I am only showcasing one of them: HeaderControlRevived.
  • However, HTTPS + Referer is quite practical. The Referer is usually sent with same-domain HTTPS requests, and is NEVER sent with cross-domain HTTPS.Prop: bring isolated cable and connect with a listener in the first row. A neat way to showcase the effect of HTTPS.Image:
  • “This time, all transmission between the server and the client are protected. So what? The green cookie is still delivered to the server.”
  • “So protecting the transmission channel does not work. How about protecting the cookies, then?”
  • “The point here is that the malicious JavaScript code does not have to read the cookie at all, because the browser sends the httpOnly cookie by itself to the green server.As a side note, the browser itself prevents code from the red page to read the cookies for the green site anyways.”
  • “This time, all transmission between the server and the client are protected. So what? The green cookie is till delivered to the server.”
  • “None of the built-in features of HTTP protocol provide sufficient protection against CSRF.”
  • Image: 2:
  • Diagram: user, browser, server, application protectionsDraw roadmap with a detour to application and then back to server. Explain the reason for the detour: “never use a tool that you don’t understand what it does”Also, allows to end with OWASP which is really cool.Mention that CSRF is interesting because there are any number of ways to protect against it (unlike, e.g. XSS or SQLi).Connect the user and developer side to the audience.Image:
  • “For each of the following protections, I will show you the CSRF diagram and pinpoint exactly why the protection works and how it works.And we will discuss how friendly and how strong the protection is.”Image:,
  • “In my country/in Europe, we are big fans of separate our waste into separate bins. For example, we have separate bins for plastic bottles, glass and metal.” Image:
  • But is this practical? Is it even safer? Only marginally, because most likely, the CSRF attack will happen inside the “everything else” browser.Extreme measure.Seriously, who does that? Very user unfriendly, dumps all the responsibility on the user. Almost paranoid. Besides, there are only so many browsers out there. If you have used up IE, FireFox, Chrome and Opera, then your busted anyway  => stay humorous.But: very secure
  • A CSRF attack from browser B will not succeed because no cookie is sent to the web server.Assessment: very secure but also very inconvenient.
  • Lessextreme than different browsers, but still not very user friendly. Most people use their personal machines, so why sign out and sign in all the time?
  • When a user signs out, the cookie with the user identity is destroyed. Once signed out, a CSRF attack will not succeed any more.
  • Really in between client and server side. The cookie lifetime is determined by the web application.Signs out the user automatically, kind of an extension of the previous slide.Image:
  • Assessment
  • “Manually signing out or even more so using multiple browsers is a bit tedious. It would be a lot more convenient if the browser could protect us from CSRF. And there is good news: this is really possible! There are multiple browser add-ons out there that do exactly this.”CsFireNoScript Application Boundaries Enforcer (ABE)Request PolicyDemo CsFire (does not seem to work properly with subdomains) or Request Policy (works great, always blocks)Mention that all of these add-ons try to distinguish between legitimate and illegitimate cross-site calls.Image:
  • Here is one place where it looks a bit like magic By default, CsFire will prevent cookies from being sent across domains. You can also go and change the settings to suppress the entire request altogether.Need to mention that sometimes, cross-site cookies or cross-site requests are legitimate and even essential for transactions to work. Examples are single-sign on or eBanking sites.
  • Here is one place where it looks a bit like magic By default, CsFire will prevent cookies from being sent across domains. You can also go and change the settings to suppress the entire request altogether.Need to mention that sometimes, cross-site cookies or cross-site requests are legitimate and even essential for transactions to work. Examples are single-sign on or eBanking sites.
  • Showcase the alert andthe request suppression.
  • School of thought: The application must defend itselfYou cannot rely on the client to be protected.Fundamentally, all server-side protections increase the claims coming from the client side.Image:
  • Sending the correct cookie and a form is not enough. The client must send some kind of proof along with the request.Bridge: There is a large number of ways this proof can be sent.
  • Used for high impact or security related settings. Would be too annoying for everyday operations.
  • Not very user friendly, in fact, annoyingAlso pretty weak: only proofs that you’re human, not the actual identity.There are services dedicated to CAPTCHA solving.human assisted: automated:
  • online + email, online + mobile(ATM: presence + PIN + card)Image:
  • Assessment: Very secure, but costly for the issuer (SMS, letters, special devices)
  • AKA Dynamic Authorization Token (DAT)“Instead of requiring the client to provide proof, why not let the server generate and send the proof itself? The client then returns the same proof and we’re done.”Explain the idea with the sealed letter.Image:
  • The server keeps the master copy of the snowflake for later comparison.Explain that the red JavaScript cannot read the token from inside the green form: same-origin policy.Explain drawback of the simple request validation token approach: state on the server
  • AKA Synchroniser Token Pattern (OWASP terminology)Benefit:Avoidsstate on the server.Similarity to dual-factor authentication (previous slide): proof arrives to the server via cookie and form.
  • “This time, the snowflake is sent both inside a cookie and inside the form. Both are sent back to the server, where they are checked for identity. We end up with so many snowflakes, it almost feels like winter.  “Explain double submit and the benefit. Equality check on the server.The red JavaScript cannot read the green snowflake (because of they originate from different servers).Let the audience guess the weakness: Snowflakes could be stolen and reused for any other sessions or users. They can even be stored for later. Heck, you can simply produce your own values (if you find a way to set green cookies, which is possible in some circumstances).
  • The problem with the double submit token from the previous slide is that the entire protection is in the hands of the clients.
  • Tell the story of the thief in the souq al-araby who replaced the padlocks in the shops with his own and then broke into the shops later in the night with his own key.Bring two identical padlocks and keys.
  • literally have to find a way to protect the protection. However, there is a small problem: we cannot simply keep the padlock inside (on the server) – we need to round-trip the token to the client and back. Hmmm…Fortunately, mathematics and cryptography can help up out.Image:
  • To protect the token, we can merge it mathematically with the session identity. Keep in mind that all these icons are in reality just numbers.A crucial feature is that neither session identity nor the (original) token can be regenerated from the protected token (hash). We can however verify that a given protected token belongs to a session identity (yes/no). That’s the question that the server asks whenever a protected token arrives.
  • This is the recommended best practice to prevent CSRF attacks.By now things have become pretty involved. Would be challenging to implement this yourselves.“You might be asking yourselves: am I supposed to implement all of this myself? The good news is that the answer is: no.”Mention ASP.NET MVC’s AntiRequestForgeryToken
  • Showcase the ASP.NET MVC version.
  • “But it gets even better: you do not even have to go over each form separately, you can apply the protection on the application and server level. The friendly people from OWASP did all the hard work already.”Don’t go into too much detail here. Leave a teaser for the audience to investigate on their own.
  • Time to draw strings together.Diagram showing user friendliness against effectiveness of the protection. CsFire is outside the scale: sometimes it is too effective! => humorous element.Discuss the appropriate location with the audience. Mention that the exact location is certainly negotiable.
  • No-one says you can only use a single protection in your site. Let’s see which protectionsfacebook uses.Image:
  • Ask the audience which one to show first. Hopefully – and predictably – they will choose the bad news first.The first four questioners receive a roll of cookies.
  • Transcript

    • 1. About the Speaker Abdullah Ulber MSc in Computer Science Swiss Olympiad in Informatics Senior Software Architect Web Developer Volunteer at OWASP Khartoum
    • 2. OWASP Mission Lots of demos Lots of diagrams "to make application security visible so that people and organisations can make informed decisions about application security risks" Lots of stuff covered“Everything you ever wanted to know about CSRF ”
    • 3. What OWASP is NOT Hogwarts School of Witchcraft And Wizardry
    • 4. Product Neutrality“OWASP does not endorse or recommend commercial products orservices, allowing our community to remain vendor neutral with thecollective wisdom of the best minds in software security worldwide.”
    • 5. Character How CSRFIntroduction Motivation Protections Study Works
    • 7. CSRF, pronounced "sea surf"First mention in 2001 by Peter Watkins.The attack withthe coolest name.“Im afraid CSRF is going to be a mess to deal with inmany cases. Like trying to tame the seas.”
    • 8. A Magic Trick
    • 10. Predictions 2007OWASP 2007: “CSRF is more prevalentthan its current ranking wouldindicate, and it can be highlydangerous.” MITRE CVE Trends, May 2007: “… there will likely be a significant increase in CSRF reports.” WhiteHat Security, July 2007: “The Sleeping Giant”
    • 11. Interest over Time 2005 2006 2007 2008 2009 2010 2011 2012
    • 12. Unlike XSS and SQL Injection SQL Injection XSS 2005 2006 2007 2008 2009 2010 2011 2012
    • 13. Let’s Be Fair SQL Injection XSS CSRF 2005 2006 2007 2008 2009 2010 2011 2012
    • 14. CSRF and XSS: The Evil Twins 12 9 32 29 CSRF 27 40 30 35 XSS 43 24 38 Directory 24 Traversal 14 21 10 12 SQL Injection Total 2011 Q1 2012 Q2 2012 Q3 2012 Statistics by Firehost
    • 15. In the News
    • 16. Strike #1 Feb 2008
    • 17. Strike #2 Sept 2008
    • 18. Strike #3 May 2010
    • 19. A Career Alternative? Aug 2012
    • 20. More Victims cPanel osCommerce Amazon Ebay Gmail … and countless more
    • 22. Remote Control
    • 23. No Damage Ceiling Purchase of unwanted/unexpected items Change the “Ship To:” address Password Reset / User Account modification Add contact or “friend”
    • 24. Silent but DeadlyNo browser warningsNo popups No unusual behaviour whatsoever
    • 25. Easily Mountable No DNS manipulations No wire-tapping “Even a monkey can do it.”
    • 26. Sneaky
    • 27. Sneaky
    • 28. Intranet Penetration
    • 29. Administration Areas
    • 30. Underestimated Hard to detect CSRF attacks fly under radar Under-reported
    • 31. Unprotected by Default Unlike XSS and SQL Injection 1. Awareness of the threat 2. Knowledge of the protection 3. Use of protection
    • 32. A Toxic Mix Remote control without damage ceiling Silent But deadly Sneaky Underestimated Unprotected by default
    • 33. HOW CSRF WORKS
    • 34. Internet 101
    • 35. GET
    • 36. POST
    • 37. Regular Browsing GET Browser Web Server GET link POST form link form
    • 38. User Identity
    • 39. On the Server: Session State3059750700 012299210
    • 40. On the Client: Cookies 3059750700
    • 41. Regular Browsing With Identity Browser Web Server GET link POST form
    • 42. Prepare For Attack
    • 43. POST-Based CSRF Browser Web Server POST form POST Evil Web Server JavaScript
    • 44. From the Server’s Perspective Web Server Confused deputy problem
    • 45. GET-Based CSRF (Poor Man’sVersion) Browser Web Server POST form GET Evil Web Server image
    • 47. Ineffective Protections
    • 48. Referer Header
    • 49. The Server’s Perspective withReferer Web Server referer
    • 50. Corporate Information Leaks link referer
    • 51. Behaviour Tracking Tracking site Tracking cookie
    • 52. Real-Life Behaviour Tracking
    • 53. A Helpful Venn Diagram
    • 54. HTTPS
    • 55. HTTPS Browser Web Server protected POST form POST Evil Web Server JavaScript
    • 56. Protected Cookies httpOnly “secure” invisible to JavaScript sent only via HTTPS
    • 57. Protected Cookies: httpOnly Browser Web Server can’t read POST form can’t read POST Evil Web Server JavaScript
    • 58. Protected Cookies: secure Browser Web Server protected POST form POST Evil Web Server JavaScript
    • 59. Ineffective Protections: SummaryReferer Header HTTPS Secure CookiesWould be the perfect Good in their own respects, butsolution but suffers unfortunately do not help with CSRF.from privacy issues.
    • 60. Effective Protections
    • 61. Protections by Location Client-side Server-side ServerUser Browser App
    • 62. Client-Side Protections
    • 63. Separation of Concerns
    • 64. Use of Separate Browsers facebook email everything else
    • 65. Use of Separate Browsers Browser A Web Server POST form POST Browser B Evil Web Server JavaScript
    • 66. Sign Out
    • 67. Sign Out Browser Web Server POST form POST Evil Web Server JavaScript
    • 68. Cookie Expiry
    • 69. Cookie Expiry Browser Web Server POST form POST Evil Web Server JavaScript
    • 70. Anti-CSRF Browser Add-Ons CsFire NoScript: Application Boundaries Enforcer (ABE) Request Policy
    • 71. Anti-CSRF Browser Add-Ons(CsFire) Browser Web Server POST form POST Evil Web Server JavaScript
    • 72. Anti-CSRF Browser Add-Ons (RequestPolicy) Browser Web Server POST form Evil Web Server JavaScript
    • 73. Server-Side Protections The server has to defend itself. Don’t rely on the client. Let the client prove its legitimate origin.
    • 74. The Burden of Proof Web Server + proof
    • 75. Re-Authentication
    • 76. Re-Authentication Browser Web Server form POST password ? Evil Web Server JavaScript
    • 77. CAPTCHA Very unfriendly. Only proves that you are human.
    • 78. CAPTCHA Browser Web Server form POST solution ? Evil Web Server JavaScript
    • 79. Dual-Factor Authentication
    • 80. Dual-Factor AuthenticationBrowser Web Server POST form POST Evil Web Server JavaScript
    • 81. Request Validation Token
    • 82. Request Validation Token Browser Web Server form POST can’t read ? POST Evil Web Server JavaScript
    • 83. Double Submit Token aka “Synchroniser Token Pattern” (OWASP terminology) via cookie via form
    • 84. Double Submit Token Browser Web Server form POST ? POST Evil Web Server JavaScript
    • 85. Good and Evil on the Web Client Server
    • 86. The Padlock Thief
    • 87. Protect the Protection
    • 88. HMAC (Hash-based message authenticationcode) Session identity ? Protected token Token
    • 89. Protected Double Submit Token Browser Web Server form POST ? POST Evil Web Server JavaScript
    • 90. Pluggable Protection Web Server CSRFGuard Library Apache IIS Web ModSecurity CRS Project Application Java PHP .NET
    • 91. Take Your Pick browser add-onshigh separate browsers sign out double submit token Effectiveness re-authenticate dual factor auth. CAPTCHA cookie expiry low low User Friendliness high
    • 92. Multiple Protections double submit token re-authentication dual-factor authentication CAPTCHA cookie expiry All !
    • 93. Take-Aways Questions? The bad news The good newsCSRF is a clear and present There are many protectionsdanger. available.CSRF is on the rise. Tools are your friends.
    • 94. Planned Upcoming Presentations Hijacking Bonanza (SSL/TSL, NTLM, JSON) Web Server Hardening (Apache/IIS) Secure Development Practices (PHP/ASP.NET) Application Defense in Depth HTML5 Content Security Policy - The End of XSS ?