Cross Site Request Forgery Vulnerabilities


Published on

Published in: Technology, Design
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Cross Site Request Forgery Vulnerabilities

    1. 1. Cross Site Request Forgery Deep Dive In Cincinnati Chapter Meeting May 27 th , 2008 [email_address]
    2. 2. Agenda <ul><li>TBD </li></ul><ul><li>OWASP Publications </li></ul><ul><li>OWASP Tools Demo By Blaine Wilson </li></ul><ul><li>OWASP Cincinnati Local Chapter </li></ul><ul><li>Final Questions </li></ul>
    3. 3. Place of CSRF in the OWASP Top 10 2007 <ul><li>Cross Site Scripting (XSS) </li></ul><ul><li>Injection Flaws </li></ul><ul><li>Insecure Remote File Include </li></ul><ul><li>Insecure Direct Object Reference </li></ul><ul><li>Cross Site Request Forgery (CSRF) </li></ul><ul><li>Information Leakage and Improper Error Handling </li></ul><ul><li>Broken Authentication and Session Management </li></ul><ul><li>Insecure Cryptographic Storage </li></ul><ul><li>Insecure Communications </li></ul><ul><li>Failure to Restrict URL Access </li></ul><ul><li> </li></ul>
    4. 4. Description of CSRF threat and the impact <ul><li>CSRF forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. </li></ul><ul><li>An attacker may force the users of a web application to execute actions of the attackers choosing via social engineering </li></ul>
    5. 5. CSRF Causes <ul><li>The way CSRF is accomplished relies on the following facts: 1) Web browser behavior regarding the handling of session-related information such as cookies and http authentication information; 2) Knowledge of valid web application URLs on the side of the attacker; 3) Application session management relying only on information which is known by the browser; 4) Existence of HTML tags whose presence cause immediate access to an http[s] resource; for example the image tag img . </li></ul>
    6. 6. Threat Scenario
    7. 7. CSRF is a Same Origin Exploit <ul><li>The GET request could be originated in several different ways: </li></ul><ul><li>by the user, who is using the actual web application; </li></ul><ul><li>by the user, who types the URL it directly in the browser; </li></ul><ul><li>by the user, who follows a link (external to the application) pointing to the URL. </li></ul>
    8. 8. CSRF attack vectors
    9. 9. Example: Webgoat/?
    10. 10. CSRF Countermeasures: Client/User <ul><li>Some mitigating actions are: </li></ul><ul><li>Logoff immediately after using a web application </li></ul><ul><li>Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login </li></ul><ul><li>Do not use the same browser to access sensitive applications and to surf freely the Internet; if you have to do both things at the same machine, do them with separate browsers. </li></ul><ul><li>Integrated HTML-enabled mail/browser, newsreader/browser environments pose additional risks since simply viewing a mail message or a news message might lead to the execution of an attack. </li></ul>
    11. 11. CSRF Countermeasures: Developers <ul><li>Add session-related information to the URL </li></ul><ul><li>Use POST instead of GET </li></ul><ul><li>Automatic logout mechanisms </li></ul><ul><li>Rely on Referer headers </li></ul>
    12. 12. Black Box testing and example <ul><li>Llet u the URL being tested; for example, u = http:// /action </li></ul><ul><li>build a html page containing the http request referencing url u (specifying all relevant parameters; in case of http GET this is straightforward, while to a POST request you need to resort to some Javascript); </li></ul><ul><li>make sure that the valid user is logged on the application; </li></ul><ul><li>induce him into following the link pointing to the to-be-tested URL (social engineering involved if you cannot impersonate the user yourself); </li></ul><ul><li>observe the result, i.e. check if the web server executed the request. </li></ul>
    13. 13. Gray Box testing and example <ul><li>Audit the application to ascertain if its session management is vulnerable. </li></ul><ul><li>Check If session management relies only on client side values </li></ul>
    14. 14. Tools
    15. 15. Difference Between XSS and CSRF