Stateless Anti-Csrf

3,415 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,415
On SlideShare
0
From Embeds
0
Number of Embeds
81
Actions
Shares
0
Downloads
44
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Stateless Anti-Csrf

    1. 1. Stateless Anti-CSRF @johnwilander at Dagstuhl 2012 Germany
    2. 2. Stateless is Good• Dont need to synchronize between servers• No bloated session objects on servers• REST
    3. 3. REST ConstraintStatelessThe client–server communication is furtherconstrained by no client context being storedon the server between requests. Each requestfrom any client contains all of the informationnecessary to service the request, and anysession state is held in the client.
    4. 4. StatelessDouble Submit (CSRF Protection)
    5. 5. Double Submit (CSRF protection) Anti-CSRF value as cookie ... ... and request parameter
    6. 6. Double Submit (CSRF protection) cookie ≠ request parameter Cannot read the anti-CSRF cookie to include it as parameter
    7. 7. Double Submit (CSRF protection)Anti-CSRF cookie canbe generated client-side=> no server-side state
    8. 8. Demo Double Submit
    9. 9. Are We FullyProtected Now?
    10. 10. Are We FullyProtected Now? Of course not
    11. 11. The Other Subdomainhttps://securish.1-liner.org https://other.1-liner.org Search Buy!
    12. 12. The Other Subdomainhttps://securish.1-liner.org https://other.1-liner.org <script>alert(XSS)</script> Search XSS OK Buy!
    13. 13. The Other Subdomainhttps://securish.1-liner.org https://other.1-liner.org <script> Search $.cookie( "doubleSubmitToken", "knownValue", { path: "/", domain: ".1-liner.org" }); </script> Buy!
    14. 14. Demo SubdomainXSS Double Submit Bypass
    15. 15. I proposed some sort ofTriple Submit CSRF Protection
    16. 16. Triple Submit (CSRF protection) Initial request of rich internet app
    17. 17. Triple Submit (CSRF protection) Random HttpOnly cookie Cookie value as JavaScript variable
    18. 18. Triple Submit (CSRF protection) Random HttpOnly cookie Cookie value as request parameterStateful:Cookie name saved in server sessionStateless:Server only accepts one such cookie (checks format)
    19. 19. The 3rd Submit• The server sets an HttpOnly cookie with a random name and random value• The server tells the client the value of the random cookie, not the name• The client submits the value of the cookie as a request parameter
    20. 20. The 3rd Submit • The server sets an httpOnly cookieresponse.addHeader("Set-Cookie", randomName a random randomValue + "; with + "=" + name and random value HttpOnly; path=/; domain=.1-liner.org"); • The server tells the client the value of the random cookie, not the name • The client submits the value of the cookie as a request parameter
    21. 21. The 3rd Submit • The server sets an httpOnly cookie with a random name and random value<script> • The server tells the<%= randomValue %>;var ANTI_CSRF_TRIPLE = client the value of the random cookie, not the name</script> • The Client submits the name and value of the cookie as a request parameter
    22. 22. The 3rd Submit• Cookie value as parameter• The cookie name• The cookie value
    23. 23. Can XSS overwriteHttpOnly cookies?
    24. 24. Yes. When a browser reaches its limit for cookies for a domain it starts to delete older cookies, includingCredit: http://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/
    25. 25. So the attacker can deletethe HttpOnly cookie(s)this way and then setthem to a controlledvalue,effectively overwriting
    26. 26. var overflowCookieJar = function() { var name = "marker", val = "markerVal", counter = 0; // Set an initial cookie as a marker $.cookie(name, val, {path: "/", domain: ".1-liner.org"}); // Set new cookies until marker is gone while($.cookie(name) == val) { $.cookie(name + counter++, val, {path: "/", domain: ".1-liner.org"}); } // Return number of cookies needed return counter;}
    27. 27. Demo SubdomainXSS Triple Submit Bypass
    28. 28. Overflow the Cookie Jar• Chrome 22: 150-180 cookies needed• Firefox 15: 150 cookies needed• Safari 6: ≈1000 cookies needed
    29. 29. The Demo System is an OWASP Project 1-liner.org

    ×