OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery


Published on

  • Be the first to comment

OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery

  1. 1. Cross Site Request Forgery Obay Osman OWASP Khartoum 15 Sept 2012 Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
  2. 2. ToC• Definition.• OWASP Rating.• Attack Scenarios.• CSRF in the wiled.• Demo time.• Detection• Protection.• Summery & Discussion. 2
  3. 3. DefinitionA CSRF attack is forcing a logged-on victim‟s browser to send a forged HTTP request, including the victim‟s session cookie and any other automatically included authentication information, to a vulnerable web application.Synonyms: XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking, One-Click (Microsoft). 3
  4. 4. OWASP Risk Rating # 4
  5. 5. Attack ScenariosUser:http://bank.com/app/transferFunds?amount=1 500&destinationAccount=4673243243Attacker:<img src="http://bank.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#“ width="0" height="0" /> 5
  6. 6. #1 6
  7. 7. #2 7
  8. 8. Let us break something… 9
  9. 9. In the wield..- Firewall web management.- Stored CSRF flaws.(Self-vulnerable applications)- Sammy Worm.Methodologies: XSS, Social Engineering…. 10
  10. 10. DetectionCode Review:• see if each link and form contains an unpredictable token for each user.• focus on state-changing functions.• check multistep transactions.PenTesting:• Manual Testing.• OWASP‟s CSRF Tester tool. 11
  11. 11. Protection[Developers]• Check referrer, Really help?!(open redirect/HTTPS/subdomains)• Double Submit Cookies.• Challenge-Response. (CAPTCHA/Re-Authentication)• Put unique token in the URL/URL parameter.• Include the unique token (per request/session) in a hidden field. No XSS & Share a ‘Secret’ With The User. 12
  12. 12. Protection[Tokens]Good Tokens:Nonce:One-time cryptographically random token that is returned to the client per request.HMAC:#(PageUrl+Session/userID+Timestamp)(eg In .net encrypted „ViewState‟) 13
  13. 13. Protection [Defense in depth]Do not use GET parameters.Do not put the secret in the URL/Cookies.(log/history/referer exposure,!)Send successful logins to a well-known location instead of automatic redirection.(Top10 A10)Do not resubmit POST parameters if you need to perform redirection. 14
  14. 14. Protection [Users]Logoff immediately after using a web applicationDo not allow your browser to save username/passwords, and do not allow sites to “remember” your loginDo not use the same browser to access sensitive applications and to surf freely the Internet.Be careful when clicking untrusted Links. 15
  15. 15. OWASP‟s ToolsOWASP‟s CSRF Guard can be used to automatically include such tokens in your Java EE, .NET, or PHP application.OWASP‟s ESAPI token generators and validators.+ OWASP‟s CSRF Tester. 16
  16. 16. OWASP Top 10 2010:A1 –InjectionA2 –Cross-Site Scripting (XSS)A3 –Broken Authentication and Session ManagementA4 –Insecure Direct Object ReferenceA5 –Cross Site Request Forgery (CSRF)A6 –Security Misconfiguration(NEW)A7 –Insecure Cryptographic StorageA8 –Failure to Restrict URL AccessA9 –Insufficient Transport Layer ProtectionA10 –Unvalidated Redirects and Forwards (NEW)
  17. 17. Ref.• https://www.owasp.org/index.php/CSRF• https://www.owasp.org/index.php/Testing_for_CSRF_ %28OWASP-SM-005%29• https://www.owasp.org/index.php/Cross- Site_Request_Forgery_%28CSRF%29_Prevention_Ch eat_Sheet• http://cwe.mitre.org/data/definitions/352.html• https://www.trustwave.com/sae_sample/owasp-top- 10/CourseFiles/Player.htm
  18. 18. 20