Riding Someone Else’s Wave with CSRF

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Cross-site Request Forgery (CSRF) Attacks

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

EECS 354 Network Security Cross Site Scripting (XSS)

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Presented by Paul Gilzow Web Communications University of Missouri #hew08xss.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko Cross-Site-Request-Forgery.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Krishna Mohan Koyya Glarimy Technology Services

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Robust Defenses for Cross-Site Request Forgery

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Web2.0 Secure Development Practice Bruce Xia

Cross-site request forgery Collin Jackson CS 142 Winter 2009.

Securing Angular Apps Brian Noyes

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

Automatic and Precise Client-Side Protection against CSRF Attacks.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

COMP9321 Web Application Engineering Semester 2, 2017

Javascript worms By Benjamin Mossé SecPro

Building Secure ColdFusion Applications

Web Application Vulnerabilities

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Security in Django.

API Security Auditing Be Aware,Be Safe

Ofer Shezaf, CTO, Breach Security

Vulnerability Chaining Every Low Issue Has its big impact

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Cross-Site Forgery

Cross-Site Request Forgeries: Exploitation and Prevention

Jon Peppler, Menlo Security Channels

CSC 495/583 Topics of Software Security Intro to Web Security

Cross-Site Request Forgery (CSRF) Attack Lab

Web Security Advanced Network Security Peter Reiher August, 2014

Cross Site Request Forgery New Attacks and Defenses

Advanced Cross Site Scripting Evil XSS

Cross-Site Scripting Attack (XSS)

Cross Site Request Forgery (CSRF)

Presentation transcript:

Riding Someone Else’s Wave with CSRF Sam Shute sam@quantumsecurity.co.nz

Overview What is CSRF What can we use CSRF for Where can we find CSRF How can we defend against CSRF

What is CSRF - Why should I care CSRF, Sea-Surf, XSRF, one-click attacks, session riding. All mean Cross-Site Request Forgery. Sending requests from someone else’s browser, so their browser adds their cookies. Recently removed from the OWASP Top10

What is CSRF – Real Life Examples Penetration test on Friday 80% of our penetration tests uTorrent malware download Gmail contact list theft

What is CSRF - Flow User visits our malicious/infected site The users browser loads the content for our site, including our CSRF attack The users browser sends the request with their cookies

What is CSRF - Example Antonio requests a site we’ve infected, DogMemes.com Antonio’s browser loads the infected page, including our CSRF attack When it comes across our CSRF his browser makes a request to AntoniosBank.com with his cookie, telling his bank to put $10,000 into our account.

What is CSRF - Example

Same-Origin Policy Same-Origin = Same Domain Blocks background requests that come from a different domain. Modern Browsers only

Demo

CSRF Attack 1: Making a Post Simple HTML form Executed through a phishing attack

CSRF Attack 1-2: Making a Post

CSRF Attack 2: Password Change Background Ajax request Executed through an XSS injection

CSRF Attack 3: Privilege Escalation Background Ajax request Executed through an XSS injection

What can we use CSRF for Making posts Changing passwords Privilege escalation Creating accounts Transferring bank funds

Where can we find CSRF Any request that does not pass a CSRF token is probably vulnerable. Looking at forms and ajax requests are always a good place to start.

Defending Yourself against CSRF Logging out when finished with an application Running a script blocker Updating

What doesn’t work to defend against CSRF HTTPS Using only POST requests Secret cookie values Relying on browser-based protections

What does work against CSRF CSRF Tokens Must be unique per user, preferably unique per action. They must be implemented, but more importantly, they must be validated. Check your framework Content-Security-Policy Doesn’t actually stop CSRF. But by declaring a strict CSP you can reduce the attack surface for XSS.

What does work against CSRF – CSRF Tokens

What does work against CSRF – CSRF Tokens

What does work against CSRF – CSRF Tokens

Summary Very easy to exploit Very easy to defend against

Questions?