Automatic and Precise Client-Side Protection against CSRF Attacks.

Slides:

Advertisements

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Advertisements

Cross-site Request Forgery (CSRF) Attacks

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

EECS 354 Network Security Cross Site Scripting (XSS)

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

HTTP – HyperText Transfer Protocol

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

HTTP and Server Security James Walden Northern Kentucky University.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Penetration Testing James Walden Northern Kentucky University.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

BetterAuth: Web Authentication Revisited Martin Johns, Sebastian Lekies, Bastian Braun, Benjamin Flesch In ACSAC /01/08 A.C. ADL.

Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.

Cross-Site Attacks James Walden Northern Kentucky University.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Robust Defenses for Cross-Site Request Forgery

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Web Applications Testing By Jamie Rougvie Supported by.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

1-1 HTTP request message GET /somedir/page.html HTTP/1.1 Host: User-agent: Mozilla/4.0 Connection: close Accept-language:fr request.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

Evil Code and how to defend against it CSCI 4300

Web2.0 Secure Development Practice Bruce Xia

Cross-site request forgery Collin Jackson CS 142 Winter 2009.

Securing Angular Apps Brian Noyes

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

WEB-API & MVC5 - Identity & Security Mait Poska & Andres Käver, IT Kolledž 2014.

Database Form Processing Made Easy Chad Killingsworth Web Projects Coordinator.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

#SummitNow CORS 6 Nov 2013 / 14 Nov 2013 Jared Ottley / Alfresco Software.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Web Application Vulnerabilities

An Introduction to Web Application Security

Modeling User Interactions for (Fun and) Profit Preventing Request Forgery Attacks in Web Applications Karthick Jayaraman, Grzegorz Lewandowski, Paul G.

WEB-API & MVC5 - Identity & Security

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Cross-Site Request Forgeries: Exploitation and Prevention

Automatic and Precise Client-Side Protection against CSRF Attacks

Web Systems Development (CSC-215)

Riding Someone Else’s Wave with CSRF

CSC 495/583 Topics of Software Security Intro to Web Security

Cross-Site Request Forgery (CSRF) Attack Lab

Fast-Track UiPath Developer Module 10: Sensitive Data Handling

Security and JavaScript

Cross-Site Scripting Attack (XSS)

Cross Site Request Forgery (CSRF)

Presentation transcript:

Automatic and Precise Client-Side Protection against CSRF Attacks

Road Map  Background / Example  Problem of Current Countermeasures  Main Ideas  Evaluation the Assumption

Background  CSRF: Cross Site Request Forgery  Two domains A and B. Content of origin B initiate requests to origin A, and the browser will treat these requests as being part of the ongoing session with A.  The problem is: if the session with A is authenticated session, B can initiate privileges requests to A, without the user being involved.

Example POST /auth/390/NewUserStep2.ashx HTTP/1.1 Host: mdsec.net Cookie: SessionId=8299BE6B260193DA076383A2385B07B9 Content-Type: application/x-www-form- urlencoded Content-Length: 83 realname=daf&username=daf& userrole=admin&password=letmein1& confirmpassword=letmein1 <form action=” method=”POST”>Chapter 13 Attacking Users: Other Techniques 505 document.forms[0].submit();

Problem of Current Countermeasures  Server-Side:  Require server-side modifications on source code level and it may take a very long time.  Client-Side:  Too strict  Server-Proxy:  Have not published

Main Idea  Except expected request, client-side state is stripped from all cross-origin requests.  Expected Request: A cross-origin request from A to B is expected if B previously delegated to A.  B delegates to A if  B issues a POST request, or  B redirects to A with parameters Conclusion: When origin A trying to send request to origin B, client-side state is stripped, Unless, B trust A.

Main Idea  Two reasons:  Non-malicious collaboration scenarios follow this pattern.  It is hard for attacker to bypass the countermeasure.

Filtering Algorithm

Evaluating the Trusted-Delegation Assumption  Assumption: An origin won’t be attacked by a “ trusted ” origin.  Origin A trust origin B only if A post message to B or A redirect to B with parameters.  10 out of 23 hundred origins are left unprotected by the countermeasure.

Redirecting Search Engines sa=t&rct=j&q=books&source=w eb&cd=3&ved=0CFAQFjAC&url =http%3A%2F%2Fwww.bookdep ository.co.uk%2F&ei=Y_2RT7LLA pKQ8wSn8bDvAw&usg=AFQjC NF8hAxvKCjeraYiftw74cony0jTk Q GET Redirect [Trust]

URL shorteners hrain-f1-explainer/index.html?hpt=wo_c2 Redirect hrain-f1-explainer/index.html?hpt=wo_c2

Questions