Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Cross-site Request Forgery (CSRF) Attacks
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Enabling Secure Internet Access with ISA Server
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
EECS 354 Network Security Cross Site Scripting (XSS)
Security Issues and Challenges in Cloud Computing
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg On XSRF And Why You Should Care PacSec November 2006 Martin.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Martin Kruliš by Martin Kruliš (v1.0)1.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
JavaScript, Fourth Edition
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Robust Defenses for Cross-Site Request Forgery
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Web Server.
ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
Some from Chapter 11.9 – “Web” 4 th edition and SY306 Web and Databases for Cyber Operations Cookies and.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Database and Cloud Security
COMP9321 Web Application Engineering Semester 2, 2017
Web Application Security
Internet Self Defense 101 Rex Booth.
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
API Security Auditing Be Aware,Be Safe
Ad-blocker circumvention System
Ofer Shezaf, CTO, Breach Security
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Web Caching? Web Caching:.
Cross-Site Request Forgeries: Exploitation and Prevention
Riding Someone Else’s Wave with CSRF
CSC 495/583 Topics of Software Security Intro to Web Security
Active Man in the Middle Attacks
Protecting Against Common Web Application Vulnerabilities
Exploring DOM-Based Cross Site Attacks
Cross Site Request Forgery (CSRF)
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec Europe May RequestRodeo: Client Side Protection against Session Riding Martin Johns / Justus Winter University of Hamburg, SVS

OWASP AppSec Europe Me, Myself, and I  Martin Johns  johns at informatik.uni-hamburg.de  Security researcher at the University of Hamburg  Member of the secologic project  Research project carried out by SAP, Commerzbank, Eurosec and the University of Hamburg  Goal: Improving software security  Visit us at

OWASP AppSec Europe Agenda  Web Application Authentication  Session Riding  Client Side Protection  Conclusion

OWASP AppSec Europe Agenda  Web Application Authentication  Session Riding  Client Side Protection  Conclusion

OWASP AppSec Europe Agenda  Web Application Authentication  Explicit authentication  Implicit authentication  Session Riding  Client Side Protection  Conclusion

OWASP AppSec Europe Explicit Authentication  The authentication credentials are communicated by the web application  URL rewriting: Session token is included in every URL  Form based session tokens  Immune to Session Riding

OWASP AppSec Europe Agenda  Web Application Authentication  Explicit authentication  Implicit authentication  Session Riding  Client Side Protection  Conclusion

OWASP AppSec Europe Implicit Authentication  Automatically executed by the browser  Cookies  HTTP authentication (Basic, Digest, NTLM)  IP based schemes  Client side SSL  Potentially vulnerable to Session Riding

OWASP AppSec Europe Session management with cookies  After the authentication form the server sets a cookie on the client’s browser  As long as this cookie is valid, the client’s requests are treated as authorized

OWASP AppSec Europe HTTP authentication (Basic, Digest) ClientServer  The client requests a restricted resource  The server answers with a “401 Unauthorized” response  This causes the client’s browser to demand the credentials  The client resends the request  The user’s credentials are included via the “Authorization” header  Every further request to that authentication realm contains the credentials automatically GET index.html 401 Unauthorized GET index.html Authorization: h3m8dxjh 200 OK HTML data

OWASP AppSec Europe IP based authentication Firewall Intranet webserver

OWASP AppSec Europe Agenda  Web Application Authentication  Session Riding  Client Side Protection  Conclusion

OWASP AppSec Europe Agenda  Web Application Authentication  Session Riding  The attack  Server side countermeasures  Client Side Protection  Conclusion

OWASP AppSec Europe Session Riding  Exploits implicit authentication mechanisms  Known since 2001  A.k.a. “Cross Site Request Forgery” (XSRF / CSRF)  Unknown/underestimated attack vector (compared to XSS or SQL injection)  The Attack  Attacker creates a hidden HTTP request inside the victim’s web browser  This request is executed in the victim’s authentication context

OWASP AppSec Europe Session Riding (II) Cookie: auth_ok

OWASP AppSec Europe Session Riding (II) Cookie: auth_ok GET transfer.cgi?am=10000&an=

OWASP AppSec Europe Session Riding (II)  Problem  Web application does not verify that state changing request was created “within” the web application  Methods  Image (GET)  Frame (POST)  Real World exploits  Deletion / fabrication of data  State alteration of network devices  JavaScript code inclusion  Execution of arbitrary PHP-code

OWASP AppSec Europe Session Riding: Attack origin  Reflected: Attacker has to manufacture a website that hosts the origin of the hidden request  Local / stored: Origin of the malicious HTTP request is hosted on the attacked website  Example: Users are allowed to post images with foreign URLs

OWASP AppSec Europe Session Riding: Classification  Attack origin  Reflected: Attacker has to manufacture a website that hosts the origin of the hidden request  Stored: Origin of the malicious HTTP request is hosted on the attacked website  Example: Users are allowed to post images with foreign URLs  Target  Broad: Every user of a certain web application is potentially affected by the same request  Explicit: The attack is tailored for one special victim

OWASP AppSec Europe Misconceptions  Only accept POST requests  Defends against local attacks  On foreign web pages hidden POST requests can be created with frames  Referrer checking  Some users prohibit referrers  referrerless requests have to be accepted  Techniques to selectively create HTTP request without referrers exist

OWASP AppSec Europe Agenda  Web Application Authentication  Session Riding  The attack  Server side countermeasures  Client Side Protection  Conclusion

OWASP AppSec Europe Server Side Countermeasures  Misconceptions (don’t)  Only accept POST requests  Referrer checking  Do:  Use one-time tokens for state changing requests  Mirror all foreign content / do not allow users to use arbitrary URLs  Alternative: Switch to explicit authentication

OWASP AppSec Europe Agenda  Web Application Authentication  Session Riding  Client Side Protection  Conclusion

OWASP AppSec Europe Agenda  Web Application Authentication  Session Riding  Client Side Protection  Concept  Identification of fraudulent requests  Removal of implicit authentication  Conclusion

OWASP AppSec Europe RequestRodeo: Concept  Client Side Proxy  Identification of potential fraudulent requests  Removal of implicit authentication

OWASP AppSec Europe Identification of suspicious requests  The origin determines the state  Definition: entitled  Only entitled requests are permitted to carry implicit authentication information An HTTP request is classified as entitled only if: – It was initiated because of the interaction with a web page (i.e. clicking on a link, submitting a form or through JavaScript) and – the URLs of the originating page and the requested page satisfy the “same origin policy”

OWASP AppSec Europe Agenda  Web Application Authentication  Session Riding  Client Side Protection  Concept  Identification of fraudulent requests  Removal of implicit authentication  Conclusion

OWASP AppSec Europe Processing HTTP responses  Adding tokens to URLs  HTML code in HTTP responses is processed  Identification of elements that potentially cause HTTP requests  The target URLs of these elements are enhanced with a URL token  The tokens are kept together with the response’s URL in a table  This way the proxy is able determine a request’s origin  “a reliable referrer”

OWASP AppSec Europe Processing HTTP responses (II)  Example:    Augmenting JavaScript:  Impossible to find all URLs in JS  Instead: Altering the code that creates the requests: document.location = url;  document.location = __rrt_addToken(url);  Unreliable, therefore additional referrer checks

OWASP AppSec Europe Checking HTTP requests  Every HTTP request is checked for a URL token  If such a token exists, the originating URL is retrieved  If the domains of the request and its origin do not match, implicit authentication information gets removed

OWASP AppSec Europe Agenda  Web Application Authentication  Session Riding  Client Side Protection  Concept  Identification of fraudulent requests  Removal of implicit authentication  Conclusion

OWASP AppSec Europe Removal of implicit authentication: Cookies  Cookies are communicated via the HTTP header field “Cookie”  If a not “entitled” request contains such a field, it is removed by the proxy before forwarding the request a

OWASP AppSec Europe Removal of implicit authentication: Cookies  Cookies are communicated via the HTTP header field “Cookie”  If a not “entitled” request contains such a field, it is removed by the proxy before forwarding the request a RequestRodeo Client GET index.html Cookie:SID=728gdshg7 Server GET index.html Implicit authentication

OWASP AppSec Europe Removal of implicit authentication: Cookies  Cookies are communicated via the HTTP header field “Cookie”  If a not “entitled” request contains such a field, it is removed by the proxy before forwarding the request  A cookie’s domain value should be respected  Example:  cookie’s domain value: “foo.org”  a request from “ to “order.foo.org” is allowed to carry the cookie

OWASP AppSec Europe Removal of implicit authentication: HTTP auth  Simply removing unentitled “Authorization” headers does not work

OWASP AppSec Europe RequestRodeo Client GET index.html Authorization: xx … Server 401 Unauthorized GET index.html Authorization: xx … GET index.html Implicit authentication 401 Unauthorized Still not “entitled”

OWASP AppSec Europe Removal of implicit authentication: HTTP auth  Simply removing unentitled “Authorization” headers does not work  In this case the browser re-requests the same URL  The URL is still not entitled  The proxy has to add a token to the request’s URL  This is done using a 302 “Temporarily moved” response

OWASP AppSec Europe RequestRodeo Client GET index.html Authorization: xx … Server 302 Moved Temporarily Location: index.html?__rrt=f4s7 GET index.html?__rrt=f4s7 Authorization: xx … 401 Unauthorized GET index.html?__rrt=f4s7 Authorization: xx … GET index.html?__rrt=f4s7 Authorization: xx … 200 OK HTML Data 200 OK HTML Data Implicit authentication Explicit authentication entitled: index.html?__rrt=f4s7

OWASP AppSec Europe IP-based authentication  Unentitled requests are only allowed if their target is worldreachable  For this reason a “reflection server” is employed  The reflection server is hosted offsite (i.e. on the other side of the corporate firewall)  Before allowing an unentitled request, the proxy verifies that the reflection server is able to access the request’s target  Caching of checked IPs to minimize the performance penalty

OWASP AppSec Europe IP based authentication Firewall Intranet webserver RequestRodeo Malicious site Reflection server HEAD ?OK

OWASP AppSec Europe IP based authentication Firewall Intranet webserver RequestRodeo Malicious site Reflection server ?DENY HEAD 

OWASP AppSec Europe Agenda  Web Application Authentication  Session Riding  Client Side Protection  Conclusion

OWASP AppSec Europe Implementation  Proof of concept  Implemented in Python  Using the “Twisted” framework  Released under the GPL

OWASP AppSec Europe Discussion  Conservative Approach  Connections are allowed  Only removal of implicit authentication  Request to public resources are uninhibited  Limitations  No protection against “local” attacks  NTLM / Client Side SSL not implemented  Future work  Browser integration  Addition of anti XSS techniques

OWASP AppSec Europe The End  Thank you for your attention  Questions?  Comments?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.