Cross-site request forgery (CSRF) is an attack that tricks an authenticated user into performing actions on a website that they did not intend to perform. It works by including unauthorized commands in requests that the user makes, such as changing their password or making purchases without their knowledge. Developers can prevent CSRF attacks by using techniques like synchronizer tokens that are unique to each user's session and rejecting requests that do not include a valid token. Other protections include active measures that require user interaction and the use of CORS and the SameSite cookie attribute.
2. Cross-Site Request Forgery
Definition
OWASP:
Cross-Site Request Forgery (CSRF) is
an attack that forces an end user to
execute unwanted actions on a web
application in which they're currently
authenticated.
Aaron:
“Con” or “Trick” a user into performing
an action (Username/Password Change,
Make Purchase, etc.), without the user
realizing it.
Example
Login: safe.com
notevil.com
Bob
4. Active:
User Interaction
- Authenticate, CAPTCHA, etc.
CSRF-Protection
Passive:
Synchronizer Token
- Unique per user session
- Large random value
- REJECT the action if the token
fails validation
* Cookie SameSite Attribute
Types Example
Login: safe.com
notevil.com
Bob
5. POST /v2/api/user HTTP/1.1
Content-Type: application/json
{"name":"bob"}
Single Page Application
Angular, Node, Sails, Express, etc.
- Dynamically Updated Pages (AJAX)
- Clean modern feel
- Responsive
About Example
Login: safe.com
notevil.com
Bob
OPTIONS /v2/api/user HTTP/1.1
6. C.O.R.S
Cross Origin Resource Sharing
Non “simple-requests” require CORS preflight
Simple Request
Simple Method: GET | POST | HEAD
Simple Headers: Accept, Accept-Language, Content-Language
Content-Type: Valid enctype for <form> element
application/x-www-form-urlencoded
multipart/form-data
text/plain
Preflight
Send OPTIONS with Access-Control-Request-*
Access-Control-Allow-*
match - proceed
application/json is not “simple”
8. Login: safe.com/v2/
safe.com
notevil.com
Bob
POST /final/redir.php?endpoint=http://safe.com/v2/api/user
Host: notevil.com
Content-Type: application/json
{“name”:“CSRF-JSON”}
Preflight Bypass
test.swf?endpoint=http://safe.com/v2/api/user
&reqmethod=POST
&ct=application/json
&jsonData={%22name%22:%22CSRF-JSON%22}
&php_url=http://notevil.com/final/redir.php
POST /v2/api/user
Host: safe.com
Content-Type: application/json
Cookie:session=1a2b3c;
{“name”: “CSRF-JSON”}
HTTP/1.1 307 Temporary Redirect
Location: http://safe.com/v2/api/user
notevil.com
or
9. Why
was Flash used?
Implemented Crossdomain policy pre CORS
CORS preflight is bypassed
Flash can craft HTTP requests
use a 307 instead of 302 Redirect?
The only difference between 307 and 302 is that 307 guarantees
that the method and the body will not be changed when the
redirected request is made
11. Final Thoughts
Every state changing request protected
- Active e.g. Require Password
- Passive e.g. Unguessable Token
CSRF protection included in framework
- Ensure it is enabled/Tokens Validated
Cookie SameSite attribute
click
Bob browses to safe.com
click
Safe.com sets a cookie to identify Bobs session
Browser stores the cookie and sends it with future requests destined for safe.com
Show new tab session in VM
click
Malicious site instructs browser to send request to safe.com
withCredentials instructs browser to include cookies or authentication mechanisms
Click
Browser sends the request and the cookie, just like bob
Question: Take a second and think about your site. What functionality does you site perform? How does your site verify the user intended to perform the request?
Checkout Kids from Daycare
Paybills
Change Address, Order Cheezy Bread and Mountain Dew
Demo Profile3 Alice - Attacker can set up the attack and forget about it
Not new - been around since the dawn of the HTML form when GeoCities ruled the web. There was a talk at an OWASP meeting in 2006 about Session Riding, which indicated the attack had been publicly known since 2001. More recent example:
Click - next slide
Twitter was the victim of CSRF attack the received the title the GOAT WORM
Click til 4 GOATS
Thousands of users clicked the link and spread the worm
The impact of CSRF can vary from annoying to serious - was on the OWASP top10 for a decade
CLICK
Top5 in 2007 and 2010, slid to #8, removed in 2017
“as many frameworks include CSRF defenses, it was found in only 5% of applications.”
From my experience, it is closer to 50%, but it can be prevented
CLICK - next slide
Take another look at Bob
VM - update, redo attack
Click
Application includes large random value
Unique per session
Window of attack is small
CLICK
Cookie SameSite is a future protection, but it is not supported by all browsers right now.
CLICK
Server Validates Token - REJECT if not valid or missing
CLICK
Active protection requires user interaction, which may be preferable depending on the nature of the request
These protection mechanisms have been known and worked for years, however, as technology has evolved people have begun relying more on their frameworks for protections.
Demo VM - update, show JSON request/response
Numerous Benefits to Single Page Applications
CLICK
Bob sends JSON as the body of REQUEST
CLICK
Attacks tries to replicate the request using JavaScript
CLICK
Bob sends OPTIONS and request dies
False Sense of Security
CLICK for next slide
CORS preflight verifies what the external site allows or accepts
Simple or Basic requests are exempt - easier to define a Simple Request
<click>
Most Single Page Applications pass data as JSON
<click>
<click>
With the OPTIONS request first, as long as I don’t allow credentials I’m safe. Right?
4 Security Considerations
The resource still MUST protect itself against CSRF attacks, such as by requiring the inclusion of an unguessable token
https://www.w3.org/TR/cors/
DEMO - CSRF w/ SWF
was Flash used?
Implemented Crossdomain policy pre CORS
CORS preflight is bypassed
Flash can craft HTTP requests
The observant people may have notice it was not a standard 302
use a 307 instead of 302 Redirect?
The only difference between 307 and 302 is that 307 guarantees
that the method and the body will not be changed when the
redirected request is made
DEMO VM - update JSON protected
Protect state changing requests
<click>
<click>
<click>
<click>
Ensure it is enabled - sometimes it’s as simple as enabling it in a config
<click>
SameSite attribute could be a future solution. Don’t rely on it now, because it’s only supported for %68 of users
<click>
Here’s some references if you’d like to learn more. Or track me down afterwords.