Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg On XSRF And Why You Should Care PacSec 2006 27- 30. November 2006 Martin.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Nick Feamster CS 6262 Spring 2009

Cross-site Request Forgery (CSRF) Attacks

Enabling Secure Internet Access with ISA Server

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

WebGoat & WebScarab “What is computer security for $1000 Alex?”

EECS 354 Network Security Cross Site Scripting (XSS)

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Session 11: Security with ASP.NET

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Prevent Cross-Site Scripting (XSS) attack

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Cross-Site Attacks James Walden Northern Kentucky University.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Robust Defenses for Cross-Site Request Forgery

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Securing Angular Apps Brian Noyes

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

COMP9321 Web Application Engineering Semester 2, 2017

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Ofer Shezaf, CTO, Breach Security

Web Caching? Web Caching:.

Cross-Site Request Forgeries: Exploitation and Prevention

Riding Someone Else’s Wave with CSRF

Active Man in the Middle Attacks

Exploring DOM-Based Cross Site Attacks

Cross Site Request Forgery (CSRF)

Presentation transcript:

Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg On XSRF And Why You Should Care PacSec November 2006 Martin Johns

 Martin Johns, UH, FB Inf, SVS, Me, Myself and I Martin Johns johns at informatik.uni-hamburg.de Security researcher at the University of Hamburg Member of the secologic project  Research project carried out by SAP, Commerzbank, Eurosec and the University of Hamburg  Sponsored by the German Ministry of Technology (BMWi)  Goal: Improving software security  Visit us at

 Martin Johns, UH, FB Inf, SVS, Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

 Martin Johns, UH, FB Inf, SVS, Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

 Martin Johns, UH, FB Inf, SVS, Explicit Authentication The authentication credentials are communicated by the web application URL rewriting: Session token is included in every URL Form based session tokens Immune against XSRF (actually only almost immune)

 Martin Johns, UH, FB Inf, SVS, Implicit Authentication Automatically executed by the browser Cookies http authentication (Basic, Digest, NTLM) IP based schemes Client side SSL Potentially vulnerable to XSRF

 Martin Johns, UH, FB Inf, SVS, Session management with cookies After the authentication form the server sets a cookie at the client’s browser As long as this cookie is valid, the client’s requests are treated as authorized

 Martin Johns, UH, FB Inf, SVS, http authentication (Basic, Digest) ClientServer The client requests a restricted resource The server answers with a “401 Unauthorized” response This causes the client’s browser to demand the credentials The client resends the request The user’s credentials are included via the “Authorization” header Every further request to that authentication realm contains the credentials automatically GET index.html 401 Unauthorized GET index.html Authorization: h3m8dxjh 200 OK HTML data

 Martin Johns, UH, FB Inf, SVS, IP based authentication Firewall Intranet webserver

 Martin Johns, UH, FB Inf, SVS, Client side SSL authentication The client web browser possesses a X.509 certificate that was signed by an authority that is trusted by the web application Initial authentication:  The client has to prove his identity  For this reason, the web server demands a valid signature from the client   “SSL handshake”  Depending on the browser, the user may or may not confirm the initial handshake by entering a password (only once) If the handshake was successful, a SSL session is established between the client’s browser and the web server As long as the SSL session is valid, all request to the web server are transmitted using the negotiated credentials

 Martin Johns, UH, FB Inf, SVS, Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

 Martin Johns, UH, FB Inf, SVS, XSRF / Session Riding Exploits implicit authentication mechanisms Known since 2001 XSRF a.k.a. CSRF a.k.a. “Session Riding” (a.k.a. “Sea Surf”) Unknown/underestimated attack vector (compared to XSS or SQL injection) The Attack: The attacker creates a hidden http request inside the victim’s web browser This request is executed in the victim’s authentication context

 Martin Johns, UH, FB Inf, SVS, XSRF / Session Riding (II) Cookie: auth_ok

 Martin Johns, UH, FB Inf, SVS, XSRF / Session Riding (II) Cookie: auth_ok GET transfer.cgi?am=10000&an=

 Martin Johns, UH, FB Inf, SVS, XSRF / Session Riding (III) Cause: The web application does not verify that state changing request were created “within” the web application Attack methods: Forging GET requests:  Image tag with SRC attribute that points to a state changing URL  The URL might be obfuscated by a http redirect Forging POST request:  Attacker creates an IFRAME (or a pop-up window)  The frame is filled with a HTML form  This form is submitted via JavaScript

 Martin Johns, UH, FB Inf, SVS, XSRF / Session Riding (IV) Reflected: Attacker has to manufacture a website that hosts the origin of the hidden request Local / stored: Origin of the malicious http request is hosted on the attacked website Example: Users are allowed to post images with foreign URLs Realworld exploits State alteration of network devices JavaScript code inclusion (to enable an XSS attack) Execution of arbitrary PHP-code Intranet-Exploration (e.g., JavaScript port-scanning)  XSRF is the basis for “JavaScript Malware”

 Martin Johns, UH, FB Inf, SVS, Example 1: Breaking Applications Vulnerable: digg.com digg.com’s frontpage is determined by the number of “diggs” a certain story gets Using XSRF a webpage was able to cause the victim’s browser to “digg” an arbitrary URL The demo page “digged” itself

 Martin Johns, UH, FB Inf, SVS, Example 2: Causing Financial Loss Vulnerable: Netflix.com Add movies to your rental queue Add a movie to the top of your rental queue Change the name and address on your account Change the address and password on your account (i.e., takeover your account) Cancel your account (Unconfirmed/Conjectured)

 Martin Johns, UH, FB Inf, SVS, Example 3: Owning the Server Vulnerable: Wordpress 2.02 Wordpress’ theme editor was susceptible to XSRF Wordpress theme-files can be php-files Via XSRF an attacker could modify those files to contain arbitrary php-code

 Martin Johns, UH, FB Inf, SVS, Example 4: Exploring the Intranet Vulnerable: (most) intranet webservers By dynamically including external images and using timed JavaScript events, a malicious website can, e.g.:  Portscan the intranet  Fingerprint existing web servers and installed applications  “JavaScript Malware”

 Martin Johns, UH, FB Inf, SVS, XSRF / Session Riding (IV) General problem: Session Riding vulnerabilities are NOT caused by programming mistakes Completely correct code can be vulnerable The reason for Session Riding lies within http:  No dedicated authentication credential  State-changing GET requests  JavaScript “Preventing Session Riding” is actually “fixing the protocol”

 Martin Johns, UH, FB Inf, SVS, Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

 Martin Johns, UH, FB Inf, SVS, Misconceptions Only accepting POST requests Defends against local attacks On foreign web pages hidden POST requests can be created with frames Referrer checking Some users prohibit referrers  referrerless requests have to be accepted Techniques to selectively create http request without referrers exist: Furthermore, referrers can be spoofed with Flash

 Martin Johns, UH, FB Inf, SVS, Method 1: Switch to explicit authentication URL rewriting: Session token is included in every URL Attention: Token leakage via proxy-logs/referrers Does not protect against local attacks  All URLs produced by the application contain the token Form based session tokens Session token is communicated via “hidden” form fields Attention: May break the “Back” button Combination of explicit and implicit mechanisms e.g. Cookies AND URL-rewriting Has to be supported by the used framework SID-leakage may still be a problem

 Martin Johns, UH, FB Inf, SVS, Method 2: Manual Protection (I) Reflected attacks: Allow only POST requests to commit state changing requests  (as it was intended by the inventors of http) Use one-time form tokens (nonces)  This assures that the POST request’s origin was an HTML form that was provided by the web application in the first place Example:

 Martin Johns, UH, FB Inf, SVS, Method 2: Manual Protection (II) Local attacks: Mirror all foreign content Don’t allow arbitrary URLs Only serve images from your own servers Careful: Do not allow attackers to store arbitrary data on your computers

 Martin Johns, UH, FB Inf, SVS, Method 3: Automatic protection NoForge [1] Reverse Proxy Positioned between web application and internet Parses http responses and adds tokens to all internal URLs Drops requests, that do not contain a token Only protects applications that use cookies for session tracking [1] Nenad Jovanovic, Engin Kirda and Christopher Kruegel, Preventing Cross Site Request Forgery Attacks, IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), Baltimore, MD, August 2006,

 Martin Johns, UH, FB Inf, SVS, Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

 Martin Johns, UH, FB Inf, SVS, RequestRodeo: Concept Client Side Proxy or Browser Extension (“RequestRodeo”) Identification of potential fraudulent requests Removal of implicit authentication “fixing the browser”

 Martin Johns, UH, FB Inf, SVS, Identification of suspicious requests The origin determines the state Definition: entiteld Only entitled requests are permitted to carry implicit authentication information A request’s state can be established by the browser An http request is classified as entitled only if: – It was initiated because of the interaction with a web page (i.e. clicking on a link, submitting a form or through JavaScript) and – the URLs of the originating page and the requested page satisfy the “same origin policy”

 Martin Johns, UH, FB Inf, SVS, Proxy Solution: Processing http responses Adding tokens to URLs HTML code in http responses is processed Identification of elements that potentially causes http requests The target URLs of these elements are enhanced with a URL token The tokens are kept together with the repose’s URL in a table  This way the proxy is able determine a request’s origin “a reliable referrer” Every http request is checked for a URL token If such a token exists, the originating URL is retrieved If the domains of the request and its origin do not match, implicit authentication information gets removed

 Martin Johns, UH, FB Inf, SVS, Removal of implicit authentication Cookies:  Remove all “Cookie”-fields from unentitled requests  A cookie’s domain value has to be respected http authentication:  Browser Extension: Triggers a new authentication dialogue for unentitled requests  Proxy: Adds token to the URL before removing the “authentication header” Client Side SSL:  Display warning web site before sending the request  Non-obstrusive: hidden and image-tag-based attacks are not noticeable by the user

 Martin Johns, UH, FB Inf, SVS, Removal of implicit authentication (II) IP-based authentication Unentitled requests are only allowed if their target is worldreachable For this reason a “reflection sever” is employed The reflection server is hosted in a DMZ (i.e. on the other side of the cooperate inner firewall) Before allowing an unentitled request, the proxy verifies that the reflection server is able to access the request’s target Caching of checked IPs to minimize the performance penalty  Such a reflection server also protects against “JavaScript-Malware”

 Martin Johns, UH, FB Inf, SVS, Removal of implicit authentication: IP-based auth. Inner Firewall Intranet webserver RequestRodeo Malicious site Reflection server HEAD ? OK Outer Firewall DMZ

 Martin Johns, UH, FB Inf, SVS, Removal of implicit authentication: IP-based auth. Inner Firewall Intranet webserver RequestRodeo Malicious site Reflection server ? Outer Firewall DMZ HEAD DENY 

 Martin Johns, UH, FB Inf, SVS, Implementation Proxy [1]: Implemented in Python Using the “Twisted” framework Will be released on Browser Extension: Extension for Firefox Under development [1] "RequestRodeo: Client Side Protection against Session Riding“, Martin Johns and Justus Winter, in Proceedings of the OWASP Europe 2006 Conference by Piessens, F. (ed.), Report CW448, Katholieke Universiteit Leuven, 2006

 Martin Johns, UH, FB Inf, SVS, Discussion Conservative Approach: Connections are allowed Only removal of implicit authentication Request to public resources are uninhibited With small modifications also usable at the server side Limitations: No protection against “local” attacks Proxy solution:  NTLM / Client Side SSL not implemented Future work Addition of anti XSS techniques

 Martin Johns, UH, FB Inf, SVS, Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

 Martin Johns, UH, FB Inf, SVS, Conclusion Session Riding is problematic! Correct looking code can be vulnerable! Programmers: Use nonces whenever possible Users: Logout!

 Martin Johns, UH, FB Inf, SVS, The end Thank you for your attention Questions? Comments?