Successfully reported this slideshow.

CSRF, ClickJacking & Open Redirect

3

Share

Loading in …3
×
1 of 44
1 of 44

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

CSRF, ClickJacking & Open Redirect

  1. 1. CSRF  (Cross  Site  Request  Forgery)   ClickJacking  &  Open  Redirects  
  2. 2. Cross  Site  Request  Forgery  (CSRF)   •  Generic  CSRF  is  with  GET  /  POST   •  Forcefully  sending  request  to  the  target  applicaEon   with  cookie  replay   •  Leveraging  tags  like   –  IMG –  SCRIPT –  IFRAME •  Not  abide  by  SOP  or  Cross  Domain  is  possible  
  3. 3. Request  generaEon            IMG  SRC      <img  src="hOp://host/?command">        SCRIPT  SRC      <script  src="hOp://host/?command">        IFRAME  SRC      <iframe  src="hOp://host/?command">    
  4. 4. Request  generaEon          'Image'  Object      <script>      var  foo  =  new  Image();      foo.src  =  "hOp://host/?command";      </script>       XHR  –  Cross  domain  difficult  
  5. 5. Request  generaEon   •  It  is  possible  to  generate  POST  as  well   •  Form  can  be  build  dynamically  and  buOon   click  from  JavaScript  is  possible   <script  type="text/javascript"   language="JavaScript">              document.foo.submit();   </script>    
  6. 6. Cross  Site  Request  Forgery  (CSRF)   •  What  is  different  with  Web  2.0   – Is it possible to do CSRF to XML stream – How? – It will be POST hitting the XML processing resources like Web Services – JSON CSRF is also possible – Interesting check to make against application and Web 2.0 resources
  7. 7. One  Way  CSRF  Scenario  
  8. 8. One  Way  CSRF  Scenario  
  9. 9. One  Way  CSRF  Scenario  
  10. 10. One  Way  CSRF  Scenario  
  11. 11. One-­‐Way  CSRF  
  12. 12. One-­‐Way  CSRF   •  <html>   •  <body>   •  <FORM  NAME="buy"  ENCTYPE="text/plain"  acEon="hOp:// trade.example.com/xmlrpc/trade.rem"  METHOD="POST">   •               <input  type="hidden"  name='<?xml  version'  value='"1.0"? ><methodCall><methodName>stocks.buy</ methodName><params><param><value><string>MSFT</string></ value></param><param><value><double>26</double></value></ param></params></methodCall>'>   •  </FORM>   •  <script>document.buy.submit();</script>   •  </body>   •  </html>  
  13. 13. Forcing  XML   •  Spligng  XML  stream  in  the  form.   •  Possible  through  XForms  as  well.   •  Similar  techniques  is  applicable  to  JSON  as   well.    
  14. 14. Two-­‐Way  CSRF   •  One-­‐Way  –  Just  making  forceful  request.   •  Two-­‐Way   – Reading the data coming from the target – May be getting hold onto important information – profile, statements, numbers etc. – Is it possible with JSON/XML
  15. 15. Two-­‐Way  CSRF  
  16. 16. Two-­‐Way  CSRF   •  ApplicaEon  is  serving  various  streams  like  –   JSON,  JS-­‐Object,  Array  etc.    
  17. 17. Two-­‐Way  CSRF  
  18. 18. Two-­‐Way  CSRF   •  AOacker  page  can  make  cross  domain  request   using  SCRIPT  (firefox)   •  Following  code  can  overload  the  array  stream.        funcEon  Array()      {  var  obj  =  this;  var  index  =  0;  for(j=0;j<4;j++){  obj[index++]   seOer  =  spoof;  }  }  funcEon  spoof(x){  send(x.toString());  }    
  19. 19. Two-­‐Way  CSRF  
  20. 20. Two-­‐Way  CSRF   •  It  is  possible  to  overload  these  objects.   •  Reading  and  sending  to  cross  domain  possible.   •  Opens  up  two  way  channel  for  an  aOacker.   •  Web  2.0  streams  are  vulnerable  to  these   aOacks.  
  21. 21. Countermeasure   •  Server  Side  Checks   –  Check for client’s content-type. –  XHR calls – xml/application. –  Native calls – text/html. –  Filtering is possible on it. •  Client  Side  Checks   –  Stream can be started and terminated by /* or any predefined characters. –  Client can remove them before injecting to DOM.
  22. 22. Clickjacking  
  23. 23. DescripEon   • Clickjacking  is  a  popular  name  for  an  old  aOack   method  called  “UI  redressing”   • Though  a  case  of  “old  wine  in  a  new  boOle”,   given  the  current  development  in  Web   standards  (Web  2.0,  AJAX,  etc),  one  cannot   ignore  the  risks  posed  by  this  vulnerability   • The  basic  philosophy  of  this  aOack  is  to  fool   the  user  into  clicking  a  malicious  link  
  24. 24. DescripEon   •  Clickjacking  involves  “hijacking”  the  user's   mouse  clicks   •  This  means,  the  user  thinks  (s)he's  clicking   on  something,  but  is  actually  not   •  The  user,  invariably  and  unknowingly   authorizes  certain  acEons  which  could  have   disasterous  consequences  or  could  be  as   harmless  as  being  redirected  to  a  games  site  
  25. 25. AOack  Anatomy   •  There  are  3  popular  ways  in  which  aOackers   perpetrate  this  vulnerability   –  Using invisible elements such as iframes –  Injecting malicious javascript (or any other client side scripting language) –  Leveraging a bug in Adobe Flash Player (this method is now obsolete)
  26. 26. AOack  Anatomy   •  An  aOacker  uses  the  concept  of  layering  to   crat  an  aOack   •  Basically,  the  page  that  the  user  views,  will   have  layers   •  Some  of  these  layers  will  be  transparent  (or   invisible)     •  The  user  will  never  know  of  the  invisible   layers  and  will  end  up  making  a  wrong   choice  
  27. 27. AOack  Anatomy   •  Lets  first  understand  this  basic  mechanism   with  an  example  and  then  move  on  to  the   different  ways  of  perpetraEng  this  aOack  ....  
  28. 28. AOack  Anatomy   Send email to all users ? Yes No Actual intented content ....
  29. 29. AOack  Anatomy   Send email to all users ? Yes No Do you want a free iPad? No Intended content .... Malicious content for clickjacking
  30. 30. AOack  Anatomy   Send email to all users ? Yes No Do you want a free iPad? No When the two are super imposed … (“Send email to all users?” Will not be visible, it is shown here for clarity)
  31. 31. Unvalidated  Redirects  &   Forwards  
  32. 32. DescripEon   •  Web  applicaEons  are  having  its  own  “flow”   •  Business  flow  needs  movement  between   pages  and  sites   •  ApplicaEon  uses  same  domain  or  cross   domain  redirects  and  forwards   •  It  allows  applicaEons  to  work  easily  and  access   same  domain  or  cross  domain  resources   (Single  Sign  On  –  leveraging)  
  33. 33. DescripEon   •  HTTP  requests  can  be  GET  or  POST   •  Parameters  are  not  validated  and  can  lead  to   arbitrary  redirects   •  This  can  be  leveraged  at  ease  and  get   exploited  by  an  aOacker   •  AOacker  exploits  the  trust  and  leverage  the   vulnerability  
  34. 34. AOack  Anatomy   •  As  a  part  of  root  cause,  there  must  be  a   redirect  hole   •  Example,   – http://foo.bank.com/login.aspx? user=xxx&page=trade.aspx •  Here  “page”  is  a  vulnerable  parameter   •  What  if?  Some  one  put  page=hOp:// yahoo.com  …  
  35. 35. AOack  Anatomy   Attacker foo.bank.com http://foo.bank.com/login.aspx?user=xxx& page=http://yahoo.com Get redirect or JavaScript call for loading yahoo.com Vulnerability detected!!!
  36. 36. AOack  Anatomy   •  What  is  redirect…   – If server sends 302 in its HTTP response – If server sends JavaScript with certain document object calls like “location” •  What  will  happen…   – It will send browser to new location – User will stay in impression that he/she is at trusted site but that is not the case
  37. 37. AOack  Anatomy   Bank’s user foo.bank.com Login the page Login successful This is what in user’s mind… a.) URL – trusted, foo.bank.com b.) Login form - trusted
  38. 38. AOack  Anatomy   •  User  is  doing  all  his  acEviEes   •  Full  trust  is  established  and  day  to  day  work  is   going  on   •  Now  aOacker’s  acEon  comes  in  …   •  AOacker  sends  a  mail  and  request  to  login  and   change  password  immediately  as  part  of   banking  policies   •   AOacker  acts  as  administrator  from  bank  
  39. 39. AOack  Anatomy   •  Magic  is  in  the  link  and  trust  is  in  the  mind.   •  User  trust  the  URL  and  Link  both  consciously   and  subconsciously…   •  Following  link  will  be  sent.   http://foo.bank.com/login.aspx?user=xxx&date=12-12-2009&trust=good& page=http://203.88.xx.xx/security.html Link is injected User is going to trust this
  40. 40. AOack  Anatomy   Click the link Get a redirect response to 203.88.XX.XX 1Link in mail
  41. 41. AOack  Anatomy   Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Trusted evil redirect 2
  42. 42. AOack  Anatomy   Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) 3
  43. 43. AOack  Anatomy   Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) Logs in and do money transfer 4
  44. 44. Conclusion  

×