Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CSRF	
  (Cross	
  Site	
  Request	
  Forgery)	
  
ClickJacking	
  &	
  Open	
  Redirects	
  
Cross	
  Site	
  Request	
  Forgery	
  (CSRF)	
  
•  Generic	
  CSRF	
  is	
  with	
  GET	
  /	
  POST	
  
•  Forcefully	
...
Request	
  generaEon	
  
	
  	
  	
  	
  	
  IMG	
  SRC	
  
	
  	
  <img	
  src="hOp://host/?command">	
  
	
  
	
  	
  SC...
Request	
  generaEon	
  
	
  	
  	
  	
  'Image'	
  Object	
  
	
  	
  <script>	
  
	
  	
  var	
  foo	
  =	
  new	
  Imag...
Request	
  generaEon	
  
•  It	
  is	
  possible	
  to	
  generate	
  POST	
  as	
  well	
  
•  Form	
  can	
  be	
  build...
Cross	
  Site	
  Request	
  Forgery	
  (CSRF)	
  
•  What	
  is	
  different	
  with	
  Web	
  2.0	
  
– Is it possible to ...
One	
  Way	
  CSRF	
  Scenario	
  
One	
  Way	
  CSRF	
  Scenario	
  
One	
  Way	
  CSRF	
  Scenario	
  
One	
  Way	
  CSRF	
  Scenario	
  
One-­‐Way	
  CSRF	
  
One-­‐Way	
  CSRF	
  
•  <html>	
  
•  <body>	
  
•  <FORM	
  NAME="buy"	
  ENCTYPE="text/plain"	
  acEon="hOp://
trade.ex...
Forcing	
  XML	
  
•  Spligng	
  XML	
  stream	
  in	
  the	
  form.	
  
•  Possible	
  through	
  XForms	
  as	
  well.	
...
Two-­‐Way	
  CSRF	
  
•  One-­‐Way	
  –	
  Just	
  making	
  forceful	
  request.	
  
•  Two-­‐Way	
  
– Reading the data ...
Two-­‐Way	
  CSRF	
  
Two-­‐Way	
  CSRF	
  
•  ApplicaEon	
  is	
  serving	
  various	
  streams	
  like	
  –	
  
JSON,	
  JS-­‐Object,	
  Array...
Two-­‐Way	
  CSRF	
  
Two-­‐Way	
  CSRF	
  
•  AOacker	
  page	
  can	
  make	
  cross	
  domain	
  request	
  
using	
  SCRIPT	
  (firefox)	
  
...
Two-­‐Way	
  CSRF	
  
Two-­‐Way	
  CSRF	
  
•  It	
  is	
  possible	
  to	
  overload	
  these	
  objects.	
  
•  Reading	
  and	
  sending	
  t...
Countermeasure	
  
•  Server	
  Side	
  Checks	
  
–  Check for client’s content-type.
–  XHR calls – xml/application.
–  ...
Clickjacking	
  
DescripEon	
  
• Clickjacking	
  is	
  a	
  popular	
  name	
  for	
  an	
  old	
  aOack	
  
method	
  called	
  “UI	
  re...
DescripEon	
  
•  Clickjacking	
  involves	
  “hijacking”	
  the	
  user's	
  
mouse	
  clicks	
  
•  This	
  means,	
  th...
AOack	
  Anatomy	
  
•  There	
  are	
  3	
  popular	
  ways	
  in	
  which	
  aOackers	
  
perpetrate	
  this	
  vulnerab...
AOack	
  Anatomy	
  
•  An	
  aOacker	
  uses	
  the	
  concept	
  of	
  layering	
  to	
  
crat	
  an	
  aOack	
  
•  Bas...
AOack	
  Anatomy	
  
•  Lets	
  first	
  understand	
  this	
  basic	
  mechanism	
  
with	
  an	
  example	
  and	
  then	...
AOack	
  Anatomy	
  
Send email to all users ?
Yes No
Actual intented content ....
AOack	
  Anatomy	
  
Send email to all users ?
Yes No
Do you want a free iPad?
No
Intended content .... Malicious content ...
AOack	
  Anatomy	
  
Send email to all users ?
Yes No
Do you want a free iPad?
No
When the two are super imposed …
(“Send ...
Unvalidated	
  Redirects	
  &	
  
Forwards	
  
DescripEon	
  
•  Web	
  applicaEons	
  are	
  having	
  its	
  own	
  “flow”	
  
•  Business	
  flow	
  needs	
  movement	
...
DescripEon	
  
•  HTTP	
  requests	
  can	
  be	
  GET	
  or	
  POST	
  
•  Parameters	
  are	
  not	
  validated	
  and	
...
AOack	
  Anatomy	
  
•  As	
  a	
  part	
  of	
  root	
  cause,	
  there	
  must	
  be	
  a	
  
redirect	
  hole	
  
•  Ex...
AOack	
  Anatomy	
  
Attacker
foo.bank.com
http://foo.bank.com/login.aspx?user=xxx&
page=http://yahoo.com
Get redirect or ...
AOack	
  Anatomy	
  
•  What	
  is	
  redirect…	
  
– If server sends 302 in its HTTP response
– If server sends JavaScrip...
AOack	
  Anatomy	
  
Bank’s user
foo.bank.com
Login the page
Login successful
This is what in user’s mind…
a.) URL – trust...
AOack	
  Anatomy	
  
•  User	
  is	
  doing	
  all	
  his	
  acEviEes	
  
•  Full	
  trust	
  is	
  established	
  and	
  ...
AOack	
  Anatomy	
  
•  Magic	
  is	
  in	
  the	
  link	
  and	
  trust	
  is	
  in	
  the	
  mind.	
  
•  User	
  trust	...
AOack	
  Anatomy	
  
Click the link
Get a redirect response
to 203.88.XX.XX
1Link in mail
AOack	
  Anatomy	
  
Bank’s user
foo.bank.com
Click the link
Get a redirect response
to 203.88.XX.XX
203.88.XX.XX
(Attacke...
AOack	
  Anatomy	
  
Bank’s user
foo.bank.com
Click the link
Get a redirect response
to 203.88.XX.XX
203.88.XX.XX
(Attacke...
AOack	
  Anatomy	
  
Bank’s user
foo.bank.com
Click the link
Get a redirect response
to 203.88.XX.XX
203.88.XX.XX
(Attacke...
Conclusion	
  
Upcoming SlideShare
Loading in …5
×

CSRF, ClickJacking & Open Redirect

2,984 views

Published on

this preso covers CSRF, ClickJacking and Open Redirect.

Published in: Technology
  • Be the first to comment

CSRF, ClickJacking & Open Redirect

  1. 1. CSRF  (Cross  Site  Request  Forgery)   ClickJacking  &  Open  Redirects  
  2. 2. Cross  Site  Request  Forgery  (CSRF)   •  Generic  CSRF  is  with  GET  /  POST   •  Forcefully  sending  request  to  the  target  applicaEon   with  cookie  replay   •  Leveraging  tags  like   –  IMG –  SCRIPT –  IFRAME •  Not  abide  by  SOP  or  Cross  Domain  is  possible  
  3. 3. Request  generaEon            IMG  SRC      <img  src="hOp://host/?command">        SCRIPT  SRC      <script  src="hOp://host/?command">        IFRAME  SRC      <iframe  src="hOp://host/?command">    
  4. 4. Request  generaEon          'Image'  Object      <script>      var  foo  =  new  Image();      foo.src  =  "hOp://host/?command";      </script>       XHR  –  Cross  domain  difficult  
  5. 5. Request  generaEon   •  It  is  possible  to  generate  POST  as  well   •  Form  can  be  build  dynamically  and  buOon   click  from  JavaScript  is  possible   <script  type="text/javascript"   language="JavaScript">              document.foo.submit();   </script>    
  6. 6. Cross  Site  Request  Forgery  (CSRF)   •  What  is  different  with  Web  2.0   – Is it possible to do CSRF to XML stream – How? – It will be POST hitting the XML processing resources like Web Services – JSON CSRF is also possible – Interesting check to make against application and Web 2.0 resources
  7. 7. One  Way  CSRF  Scenario  
  8. 8. One  Way  CSRF  Scenario  
  9. 9. One  Way  CSRF  Scenario  
  10. 10. One  Way  CSRF  Scenario  
  11. 11. One-­‐Way  CSRF  
  12. 12. One-­‐Way  CSRF   •  <html>   •  <body>   •  <FORM  NAME="buy"  ENCTYPE="text/plain"  acEon="hOp:// trade.example.com/xmlrpc/trade.rem"  METHOD="POST">   •               <input  type="hidden"  name='<?xml  version'  value='"1.0"? ><methodCall><methodName>stocks.buy</ methodName><params><param><value><string>MSFT</string></ value></param><param><value><double>26</double></value></ param></params></methodCall>'>   •  </FORM>   •  <script>document.buy.submit();</script>   •  </body>   •  </html>  
  13. 13. Forcing  XML   •  Spligng  XML  stream  in  the  form.   •  Possible  through  XForms  as  well.   •  Similar  techniques  is  applicable  to  JSON  as   well.    
  14. 14. Two-­‐Way  CSRF   •  One-­‐Way  –  Just  making  forceful  request.   •  Two-­‐Way   – Reading the data coming from the target – May be getting hold onto important information – profile, statements, numbers etc. – Is it possible with JSON/XML
  15. 15. Two-­‐Way  CSRF  
  16. 16. Two-­‐Way  CSRF   •  ApplicaEon  is  serving  various  streams  like  –   JSON,  JS-­‐Object,  Array  etc.    
  17. 17. Two-­‐Way  CSRF  
  18. 18. Two-­‐Way  CSRF   •  AOacker  page  can  make  cross  domain  request   using  SCRIPT  (firefox)   •  Following  code  can  overload  the  array  stream.        funcEon  Array()      {  var  obj  =  this;  var  index  =  0;  for(j=0;j<4;j++){  obj[index++]   seOer  =  spoof;  }  }  funcEon  spoof(x){  send(x.toString());  }    
  19. 19. Two-­‐Way  CSRF  
  20. 20. Two-­‐Way  CSRF   •  It  is  possible  to  overload  these  objects.   •  Reading  and  sending  to  cross  domain  possible.   •  Opens  up  two  way  channel  for  an  aOacker.   •  Web  2.0  streams  are  vulnerable  to  these   aOacks.  
  21. 21. Countermeasure   •  Server  Side  Checks   –  Check for client’s content-type. –  XHR calls – xml/application. –  Native calls – text/html. –  Filtering is possible on it. •  Client  Side  Checks   –  Stream can be started and terminated by /* or any predefined characters. –  Client can remove them before injecting to DOM.
  22. 22. Clickjacking  
  23. 23. DescripEon   • Clickjacking  is  a  popular  name  for  an  old  aOack   method  called  “UI  redressing”   • Though  a  case  of  “old  wine  in  a  new  boOle”,   given  the  current  development  in  Web   standards  (Web  2.0,  AJAX,  etc),  one  cannot   ignore  the  risks  posed  by  this  vulnerability   • The  basic  philosophy  of  this  aOack  is  to  fool   the  user  into  clicking  a  malicious  link  
  24. 24. DescripEon   •  Clickjacking  involves  “hijacking”  the  user's   mouse  clicks   •  This  means,  the  user  thinks  (s)he's  clicking   on  something,  but  is  actually  not   •  The  user,  invariably  and  unknowingly   authorizes  certain  acEons  which  could  have   disasterous  consequences  or  could  be  as   harmless  as  being  redirected  to  a  games  site  
  25. 25. AOack  Anatomy   •  There  are  3  popular  ways  in  which  aOackers   perpetrate  this  vulnerability   –  Using invisible elements such as iframes –  Injecting malicious javascript (or any other client side scripting language) –  Leveraging a bug in Adobe Flash Player (this method is now obsolete)
  26. 26. AOack  Anatomy   •  An  aOacker  uses  the  concept  of  layering  to   crat  an  aOack   •  Basically,  the  page  that  the  user  views,  will   have  layers   •  Some  of  these  layers  will  be  transparent  (or   invisible)     •  The  user  will  never  know  of  the  invisible   layers  and  will  end  up  making  a  wrong   choice  
  27. 27. AOack  Anatomy   •  Lets  first  understand  this  basic  mechanism   with  an  example  and  then  move  on  to  the   different  ways  of  perpetraEng  this  aOack  ....  
  28. 28. AOack  Anatomy   Send email to all users ? Yes No Actual intented content ....
  29. 29. AOack  Anatomy   Send email to all users ? Yes No Do you want a free iPad? No Intended content .... Malicious content for clickjacking
  30. 30. AOack  Anatomy   Send email to all users ? Yes No Do you want a free iPad? No When the two are super imposed … (“Send email to all users?” Will not be visible, it is shown here for clarity)
  31. 31. Unvalidated  Redirects  &   Forwards  
  32. 32. DescripEon   •  Web  applicaEons  are  having  its  own  “flow”   •  Business  flow  needs  movement  between   pages  and  sites   •  ApplicaEon  uses  same  domain  or  cross   domain  redirects  and  forwards   •  It  allows  applicaEons  to  work  easily  and  access   same  domain  or  cross  domain  resources   (Single  Sign  On  –  leveraging)  
  33. 33. DescripEon   •  HTTP  requests  can  be  GET  or  POST   •  Parameters  are  not  validated  and  can  lead  to   arbitrary  redirects   •  This  can  be  leveraged  at  ease  and  get   exploited  by  an  aOacker   •  AOacker  exploits  the  trust  and  leverage  the   vulnerability  
  34. 34. AOack  Anatomy   •  As  a  part  of  root  cause,  there  must  be  a   redirect  hole   •  Example,   – http://foo.bank.com/login.aspx? user=xxx&page=trade.aspx •  Here  “page”  is  a  vulnerable  parameter   •  What  if?  Some  one  put  page=hOp:// yahoo.com  …  
  35. 35. AOack  Anatomy   Attacker foo.bank.com http://foo.bank.com/login.aspx?user=xxx& page=http://yahoo.com Get redirect or JavaScript call for loading yahoo.com Vulnerability detected!!!
  36. 36. AOack  Anatomy   •  What  is  redirect…   – If server sends 302 in its HTTP response – If server sends JavaScript with certain document object calls like “location” •  What  will  happen…   – It will send browser to new location – User will stay in impression that he/she is at trusted site but that is not the case
  37. 37. AOack  Anatomy   Bank’s user foo.bank.com Login the page Login successful This is what in user’s mind… a.) URL – trusted, foo.bank.com b.) Login form - trusted
  38. 38. AOack  Anatomy   •  User  is  doing  all  his  acEviEes   •  Full  trust  is  established  and  day  to  day  work  is   going  on   •  Now  aOacker’s  acEon  comes  in  …   •  AOacker  sends  a  mail  and  request  to  login  and   change  password  immediately  as  part  of   banking  policies   •   AOacker  acts  as  administrator  from  bank  
  39. 39. AOack  Anatomy   •  Magic  is  in  the  link  and  trust  is  in  the  mind.   •  User  trust  the  URL  and  Link  both  consciously   and  subconsciously…   •  Following  link  will  be  sent.   http://foo.bank.com/login.aspx?user=xxx&date=12-12-2009&trust=good& page=http://203.88.xx.xx/security.html Link is injected User is going to trust this
  40. 40. AOack  Anatomy   Click the link Get a redirect response to 203.88.XX.XX 1Link in mail
  41. 41. AOack  Anatomy   Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Trusted evil redirect 2
  42. 42. AOack  Anatomy   Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) 3
  43. 43. AOack  Anatomy   Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) Logs in and do money transfer 4
  44. 44. Conclusion  

×