Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to CSRF 101: Understanding Cross-Site Request Forgery
Similar to CSRF 101: Understanding Cross-Site Request Forgery (20)
Recently uploaded
Recently uploaded (20)
CSRF 101: Understanding Cross-Site Request Forgery
- 1. CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics
- 2. Cross-Site Request Forgery Definition OWASP: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. Aaron: “Con” or “Trick” a user into performing an action (Username/Password Change, Make Purchase, etc.), without the user realizing it. Example Login: safe.com notevil.com Bob
- 3. OWASP Top10 Appearances 2007 - A5 2010 - A5 2013 - A8 2017 - Merged or retired, but not forgotten Notable Exploits: `GOAT worm` - Twitter WTF: malicious WTF: malicious WTF: malicious
- 4. Active: User Interaction - Authenticate, CAPTCHA, etc. CSRF-Protection Passive: Synchronizer Token - Unique per user session - Large random value - REJECT the action if the token fails validation * Cookie SameSite Attribute Types Example Login: safe.com notevil.com Bob
- 5. POST /v2/api/user HTTP/1.1 Content-Type: application/json {"name":"bob"} Single Page Application Angular, Node, Sails, Express, etc. - Dynamically Updated Pages (AJAX) - Clean modern feel - Responsive About Example Login: safe.com notevil.com Bob OPTIONS /v2/api/user HTTP/1.1
- 6. C.O.R.S Cross Origin Resource Sharing Non “simple-requests” require CORS preflight Simple Request Simple Method: GET | POST | HEAD Simple Headers: Accept, Accept-Language, Content-Language Content-Type: Valid enctype for <form> element application/x-www-form-urlencoded multipart/form-data text/plain Preflight Send OPTIONS with Access-Control-Request-* Access-Control-Allow-* match - proceed application/json is not “simple”
- 7. C.O.R.S is not a security specification
- 8. Login: safe.com/v2/ safe.com notevil.com Bob POST /final/redir.php?endpoint=http://safe.com/v2/api/user Host: notevil.com Content-Type: application/json {“name”:“CSRF-JSON”} Preflight Bypass test.swf?endpoint=http://safe.com/v2/api/user &reqmethod=POST &ct=application/json &jsonData={%22name%22:%22CSRF-JSON%22} &php_url=http://notevil.com/final/redir.php POST /v2/api/user Host: safe.com Content-Type: application/json Cookie:session=1a2b3c; {“name”: “CSRF-JSON”} HTTP/1.1 307 Temporary Redirect Location: http://safe.com/v2/api/user notevil.com or
- 9. Why was Flash used? Implemented Crossdomain policy pre CORS CORS preflight is bypassed Flash can craft HTTP requests use a 307 instead of 302 Redirect? The only difference between 307 and 302 is that 307 guarantees that the method and the body will not be changed when the redirected request is made
- 10. Active and Passive protections work
- 11. Final Thoughts Every state changing request protected - Active e.g. Require Password - Passive e.g. Unguessable Token CSRF protection included in framework - Ensure it is enabled/Tokens Validated Cookie SameSite attribute
- 12. Goat Attack: https://nakedsecurity.sophos.com/2010/09/26/wtf-twitter-goat-viral-message-spreads/ CORS Summary: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Functional_overview CORS Specification: https://www.w3.org/TR/cors/ Simple Content-Types: https://www.w3schools.com/tags/att_form_enctype.asp SWF CSRF: https://github.com/sp1d3r/swf_json_csrf Redirect Summary: https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections CSRF Prevention: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet CSRF General: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Feature Checker: https://caniuse.com/#feat=same-site-cookie-attribute
Editor's Notes
- click Bob browses to safe.com click Safe.com sets a cookie to identify Bobs session Browser stores the cookie and sends it with future requests destined for safe.com Show new tab session in VM click Malicious site instructs browser to send request to safe.com withCredentials instructs browser to include cookies or authentication mechanisms Click Browser sends the request and the cookie, just like bob Question: Take a second and think about your site. What functionality does you site perform? How does your site verify the user intended to perform the request? Checkout Kids from Daycare Paybills Change Address, Order Cheezy Bread and Mountain Dew Demo Profile3 Alice - Attacker can set up the attack and forget about it Not new - been around since the dawn of the HTML form when GeoCities ruled the web. There was a talk at an OWASP meeting in 2006 about Session Riding, which indicated the attack had been publicly known since 2001. More recent example: Click - next slide
- Twitter was the victim of CSRF attack the received the title the GOAT WORM Click til 4 GOATS Thousands of users clicked the link and spread the worm The impact of CSRF can vary from annoying to serious - was on the OWASP top10 for a decade CLICK Top5 in 2007 and 2010, slid to #8, removed in 2017 “as many frameworks include CSRF defenses, it was found in only 5% of applications.” From my experience, it is closer to 50%, but it can be prevented CLICK - next slide
- Take another look at Bob VM - update, redo attack Click Application includes large random value Unique per session Window of attack is small CLICK Cookie SameSite is a future protection, but it is not supported by all browsers right now. CLICK Server Validates Token - REJECT if not valid or missing CLICK Active protection requires user interaction, which may be preferable depending on the nature of the request These protection mechanisms have been known and worked for years, however, as technology has evolved people have begun relying more on their frameworks for protections. Demo VM - update, show JSON request/response
- Numerous Benefits to Single Page Applications CLICK Bob sends JSON as the body of REQUEST CLICK Attacks tries to replicate the request using JavaScript CLICK Bob sends OPTIONS and request dies False Sense of Security CLICK for next slide
- CORS preflight verifies what the external site allows or accepts Simple or Basic requests are exempt - easier to define a Simple Request <click> Most Single Page Applications pass data as JSON <click> <click> With the OPTIONS request first, as long as I don’t allow credentials I’m safe. Right?
- 4 Security Considerations The resource still MUST protect itself against CSRF attacks, such as by requiring the inclusion of an unguessable token https://www.w3.org/TR/cors/ DEMO - CSRF w/ SWF
- was Flash used? Implemented Crossdomain policy pre CORS CORS preflight is bypassed Flash can craft HTTP requests The observant people may have notice it was not a standard 302 use a 307 instead of 302 Redirect? The only difference between 307 and 302 is that 307 guarantees that the method and the body will not be changed when the redirected request is made
- DEMO VM - update JSON protected
- Protect state changing requests <click> <click> <click> <click> Ensure it is enabled - sometimes it’s as simple as enabling it in a config <click> SameSite attribute could be a future solution. Don’t rely on it now, because it’s only supported for %68 of users <click>
- Here’s some references if you’d like to learn more. Or track me down afterwords.