Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko Cross-Site-Request-Forgery.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Cross-site Request Forgery (CSRF) Attacks
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Cross Site Scripting & SQL injection
AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
WebGoat & WebScarab “What is computer security for $1000 Alex?”
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
JavaScript, Fourth Edition
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
1 E-Commerce Security Part I – Threats. 2 Objectives Threats to –intellectual property rights –client computers –communication channels between computers.
 a crime committed on a computer network, esp. the Internet.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Cross-Site Attacks James Walden Northern Kentucky University.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Robust Defenses for Cross-Site Request Forgery
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cross Site Scripting and its Issues By Odion Oisamoje.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Cross-site request forgery Collin Jackson CS 142 Winter 2009.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
ONLINE SAFETY AND SECURITY Computer Basics 1.5. INFAMOUS CYBER ATTACKS IN 2014 Sony Pictures: Attackers stole just about everything in the corporate network,
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
COOKIES Gloria Soria Network Security COSC 356. What is a Cookie? A cookie is a piece of text that a Web Server can store on a user's hard disk. Cookies.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
World Wide Web policy.
Ofer Shezaf, CTO, Breach Security
Shavonne Henry, Nikia Clarke, David Heymann, Brandon Knight
Cross-Site Forgery
Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.
Cross-Site Request Forgeries: Exploitation and Prevention
Riding Someone Else’s Wave with CSRF
CSC 495/583 Topics of Software Security Intro to Web Security
Cross-Site Request Forgery (CSRF) Attack Lab
Cross Site Request Forgery New Attacks and Defenses
Cross Site Request Forgery (CSRF)
Presentation transcript:

Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko Cross-Site-Request-Forgery

CSRF Overview Forces user to send unauthorized requests by interacting with a malicious website. The “sleeping giant” of all cyber security threats. Can force someone to transfer money, change status on social networking site, buy stock, or any other action on a vulnerable website an attacker would like to exploit.

CSRF Overview

Original Project Plan Week 2: Reading and Preparation Gain a better understanding of csrf attack mechanisms Weeks 3-4: Perform Simple CSRF Attacks Develop testbed and exploit generated site Weeks 5-7: Implement Defense Mechanisms Referrer-checking, reconfirmation, any others Weeks 8-9: Final Preparation Finalize project, conference paper, presentation

Alterations to the Plan Reconfirmation protection method Recon value to be based of off the trace path Trace path would not work since it would just go back to the user's browser. Would be unable to compare trace path of user and attack since both would lead to same machine. CCNC Conference Decided to submit paper to CCNC instead of ACM hotnets. Social Networking specification – had to find exploits in well-known social networks to present.

Test Bed Application Stock trading application Registered users can buy and sell stock based on prices from Yahoo Finance. Utilizes an AJAX request to retrieve stock information in real time Does not implement any CSRF protection methods – allowed us to concentrate on CSRF without the presence of XSS.

Test Bed Application

Sample Attack This attack uses Chris Shiflett’s CSRF Redirector. The CSRF Redirector creates a form with all the necessary inputs that submits to the target application on the vulnerable website.

Discovered Vulnerabilities Hi5.com—Yahoo’s Social Networking Website Change Profile Skin Change Status Add Applications Sharebuilder.com—ING’s Online Stock Brokerage Buy/Sell shares of stock Requires 2 requests for attack

Referer Privacy Guard Firefox extension that disorders browsing history Will encourage more users to send Referer Headers Sends “garbage” requests to random URLs from user’s browsing history Our extension is on SourceForge available for download SVN repository for developers set up

CSRF Signature Detection Preview page content in sandboxed manner Don’t allow any state-changing requests until content is checked Find deep links and compare to URL in address bar Allow users to whitelist domain pairs Preview linked content—images, iframes Block forms with only “hidden” inputs Block self-submitting forms unless user approves

Conclusions CSRF can be prevented User: Log out and clear cookies often Developer Make sure website not vulnerable to XSS Use form tokens and use them wisely Check Referer header Lenient for now Possibly strict when privacy issue resolved

Conclusions CSRF can be detected While application specific, certain features are similar Limited number of tags and Javascript functions that can be used to implement and disguise attack Hidden and self-submitting forms have little practical use Whitelisting of trusted sites for user convenience

Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.