CSRF, ClickJacking & Open Redirect

CSRF, ClickJacking & Open Redirect
CSRF (Cross Site Request Forgery) ClickJacking & Open Redirects
Cross Site Request Forgery (CSRF) •  Generic CSRF is with GET / POST •  Forcefully sending request to the target applicaEon with cookie replay •  Leveraging tags like –  IMG –  SCRIPT –  IFRAME •  Not abide by SOP or Cross Domain is possible
Request generaEon IMG SRC <img src="hOp://host/?command"> SCRIPT SRC <script src="hOp://host/?command"> IFRAME SRC <iframe src="hOp://host/?command">
Request generaEon 'Image' Object <script> var foo = new Image(); foo.src = "hOp://host/?command"; </script> XHR – Cross domain difficult
Request generaEon •  It is possible to generate POST as well •  Form can be build dynamically and buOon click from JavaScript is possible <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script>
Cross Site Request Forgery (CSRF) •  What is different with Web 2.0 – Is it possible to do CSRF to XML stream – How? – It will be POST hitting the XML processing resources like Web Services – JSON CSRF is also possible – Interesting check to make against application and Web 2.0 resources
One Way CSRF Scenario
One-‐Way CSRF
One-‐Way CSRF •  <html> •  <body> •  <FORM NAME="buy" ENCTYPE="text/plain" acEon="hOp:// trade.example.com/xmlrpc/trade.rem" METHOD="POST"> •  <input type="hidden" name='<?xml version' value='"1.0"? ><methodCall><methodName>stocks.buy</ methodName><params><param><value><string>MSFT</string></ value></param><param><value><double>26</double></value></ param></params></methodCall>'> •  </FORM> •  <script>document.buy.submit();</script> •  </body> •  </html>
Forcing XML •  Spligng XML stream in the form. •  Possible through XForms as well. •  Similar techniques is applicable to JSON as well.
Two-‐Way CSRF •  One-‐Way – Just making forceful request. •  Two-‐Way – Reading the data coming from the target – May be getting hold onto important information – profile, statements, numbers etc. – Is it possible with JSON/XML
Two-‐Way CSRF
Two-‐Way CSRF •  ApplicaEon is serving various streams like – JSON, JS-‐Object, Array etc.
Two-‐Way CSRF
Two-‐Way CSRF •  AOacker page can make cross domain request using SCRIPT (firefox) •  Following code can overload the array stream. funcEon Array() { var obj = this; var index = 0; for(j=0;j<4;j++){ obj[index++] seOer = spoof; } } funcEon spoof(x){ send(x.toString()); }
Two-‐Way CSRF
Two-‐Way CSRF •  It is possible to overload these objects. •  Reading and sending to cross domain possible. •  Opens up two way channel for an aOacker. •  Web 2.0 streams are vulnerable to these aOacks.
Countermeasure •  Server Side Checks –  Check for client’s content-type. –  XHR calls – xml/application. –  Native calls – text/html. –  Filtering is possible on it. •  Client Side Checks –  Stream can be started and terminated by /* or any predefined characters. –  Client can remove them before injecting to DOM.
Clickjacking
DescripEon • Clickjacking is a popular name for an old aOack method called “UI redressing” • Though a case of “old wine in a new boOle”, given the current development in Web standards (Web 2.0, AJAX, etc), one cannot ignore the risks posed by this vulnerability • The basic philosophy of this aOack is to fool the user into clicking a malicious link
DescripEon •  Clickjacking involves “hijacking” the user's mouse clicks •  This means, the user thinks (s)he's clicking on something, but is actually not •  The user, invariably and unknowingly authorizes certain acEons which could have disasterous consequences or could be as harmless as being redirected to a games site
AOack Anatomy •  There are 3 popular ways in which aOackers perpetrate this vulnerability –  Using invisible elements such as iframes –  Injecting malicious javascript (or any other client side scripting language) –  Leveraging a bug in Adobe Flash Player (this method is now obsolete)
AOack Anatomy •  An aOacker uses the concept of layering to crat an aOack •  Basically, the page that the user views, will have layers •  Some of these layers will be transparent (or invisible) •  The user will never know of the invisible layers and will end up making a wrong choice
AOack Anatomy •  Lets first understand this basic mechanism with an example and then move on to the different ways of perpetraEng this aOack ....
AOack Anatomy Send email to all users ? Yes No Actual intented content ....
AOack Anatomy Send email to all users ? Yes No Do you want a free iPad? No Intended content .... Malicious content for clickjacking
AOack Anatomy Send email to all users ? Yes No Do you want a free iPad? No When the two are super imposed … (“Send email to all users?” Will not be visible, it is shown here for clarity)
Unvalidated Redirects & Forwards
DescripEon •  Web applicaEons are having its own “flow” •  Business flow needs movement between pages and sites •  ApplicaEon uses same domain or cross domain redirects and forwards •  It allows applicaEons to work easily and access same domain or cross domain resources (Single Sign On – leveraging)
DescripEon •  HTTP requests can be GET or POST •  Parameters are not validated and can lead to arbitrary redirects •  This can be leveraged at ease and get exploited by an aOacker •  AOacker exploits the trust and leverage the vulnerability
AOack Anatomy •  As a part of root cause, there must be a redirect hole •  Example, – http://foo.bank.com/login.aspx? user=xxx&page=trade.aspx •  Here “page” is a vulnerable parameter •  What if? Some one put page=hOp:// yahoo.com …
AOack Anatomy Attacker foo.bank.com http://foo.bank.com/login.aspx?user=xxx& page=http://yahoo.com Get redirect or JavaScript call for loading yahoo.com Vulnerability detected!!!
AOack Anatomy •  What is redirect… – If server sends 302 in its HTTP response – If server sends JavaScript with certain document object calls like “location” •  What will happen… – It will send browser to new location – User will stay in impression that he/she is at trusted site but that is not the case
AOack Anatomy Bank’s user foo.bank.com Login the page Login successful This is what in user’s mind… a.) URL – trusted, foo.bank.com b.) Login form - trusted
AOack Anatomy •  User is doing all his acEviEes •  Full trust is established and day to day work is going on •  Now aOacker’s acEon comes in … •  AOacker sends a mail and request to login and change password immediately as part of banking policies •  AOacker acts as administrator from bank
AOack Anatomy •  Magic is in the link and trust is in the mind. •  User trust the URL and Link both consciously and subconsciously… •  Following link will be sent. http://foo.bank.com/login.aspx?user=xxx&date=12-12-2009&trust=good& page=http://203.88.xx.xx/security.html Link is injected User is going to trust this
AOack Anatomy Click the link Get a redirect response to 203.88.XX.XX 1Link in mail
AOack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Trusted evil redirect 2
AOack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) 3
AOack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) Logs in and do money transfer 4
Conclusion

Check these out next

CSRF, ClickJacking & Open Redirect

Recommended

More Related Content

Slideshows for you(20)

Similar to CSRF, ClickJacking & Open Redirect(20)

More from Blueinfy Solutions(20)

Recently uploaded(20)

CSRF, ClickJacking & Open Redirect