Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modeling User Interactions for (Fun and) Profit Preventing Request Forgery Attacks in Web Applications Karthick Jayaraman, Grzegorz Lewandowski, Paul G.

Published byBritton McCormick Modified over 6 years ago

Similar presentations

Presentation on theme: "Modeling User Interactions for (Fun and) Profit Preventing Request Forgery Attacks in Web Applications Karthick Jayaraman, Grzegorz Lewandowski, Paul G."— Presentation transcript:

1 Modeling User Interactions for (Fun and) Profit Preventing Request Forgery Attacks in Web Applications Karthick Jayaraman, Grzegorz Lewandowski, Paul G. Talaga, and Steve J. Chapin Syracuse University CSE776 Design Patterns, Summer 2010

2 Motivation Web applications continue to be poorly built
Automated detection Web applications continue to be poorly built How widespread is the problem? It is a pandemic!. Problem sources Nature of web applications Programmer errors Automatic compromise Manual detection Source: Web Application Security Consortium, 2008 Report

3 Motivation Several defensive coding techniques exist
Difficult to get it right Average developer is not a security expert No “method” behind the madness Important : helping the developer

4 Preview Two important attacks
Cross-site request forgery Workflow attacks Root cause – Failure to model intended interaction patterns A systematic methodology for building web applications

5 Cross-site Request Forgeries

6 Workflow Attacks Step 1 Step 2 Step 3 Step 4 Choosing a product
Providing shipping information Providing payment information Final review, order completion Skipping step 3

7 Root Causes Attacks violate the intended user-application interaction
CSRF: Request originates from a malicious site Workflow attacks: Attackers forces the application to process an incorrect request Lack of strict enforcement of intended user- application interaction Web applications are more complex Average developer is not a secure expert Difficult to get it right

8 A New Design Methodology
Objectives Security by construction Systematic method for enforcing user-application interaction Two parts Modeling intended interaction patterns using the Web DFA model Four design patterns

9 The Web DFA Model

10 Design Patterns Pattern Description HTTP request type
Choosing an appropriate HTTP request type Secret-token Validation Adding an additional verification step to distinguish requests originating from attacker site from genuine requests. Intent verification Adding an additional verification step to verify user-intent when using auto login. Guarded Workflow Systematic method for designing workflow transactions.

11 HTTP Request Type Forces
Web apps should choose an appropriate HTTP request type for their request Choosing the wrong request can facilitate forgery Choosing the appropriate request is best done in design

12 HTTP Request Type Solution
Transitions to non- sensitive states should use HTTP GET Transitions to sensitive states should use HTTP POST

13 HTTP Request Type Consequences Known uses
Easy to understand – Requests are intention revealing Weak first layer of defense Increased complexity Known uses phpBB punBB

14 Secret-token Validation
Forces HTTP Requests can be repeatedly issued Session cookies are insufficient for preventing forgeries because browsers enable malicious web sites to steal cookies Cryptographic secrets can be application and web pages

15 Secret-token Validation
Solution Use a secret token whenever a sensitive request is made Add a secret token as a parameter to each form <input type=“hidden” name=sid value=“AS887AS9AS” /> Verify the presence of a secret token in sensitive requests Attacker cannot access the secret-token inside the web page. (Browser policy)

16 Secret-token Validation
Consequences Strong defense The session secret should be adequately strong and appropriately protected Known uses phpBB phpMyAdmin

17 Intent Verification Forces
Users do not know when they are tricked by an attacker into a CSRF attack Web applications should verify the intent of each submitted request Intent verification reduces the usability of the application

18 Intent Verification Solution
Introduce an additional verification step at the beginning of each sensitive transaction Additional authentication CAPTCHA

19 Intent Verification Consequences Known uses Informed user
Better detection of bots Hindered usability Known uses

20 Guarded Workflow Forces
Subtasks in a workflow should be executed in a predefined order Attackers want to manipulate the normal execution order Subtasks have preconditions that the caller should satisfy before invocation

21 Guarded Workflow Solution
Identify states participating in a workflow {subtask1 , subtask2 , ...., subtaskn } Identify preconditions and postconditions for each transition to the state. To enforce the sequence {subtask1 , subtask2 , ...., subtaskn }, postconditions1 ∪ postconditions2 ∪ .... ∪ postconditionsn-1 ⊂ preconditionsn

22 Guarded Workflow

23 Guarded Workflow Consequences Known uses Design by contract.
Hard to determine preconditions. Known uses Directed session pattern Design by contract

24 Conclusion Securing web applications is more complex compared to desktop application Multiple and complementary approaches are required Better system-level techniques Better frameworks Crucial : Well engineered applications that are secure by construction

Download ppt "Modeling User Interactions for (Fun and) Profit Preventing Request Forgery Attacks in Web Applications Karthick Jayaraman, Grzegorz Lewandowski, Paul G."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Error Management with Design Contracts Karlstad University Computer Science Error Management with Design Contracts Eivind J. Nordby, Martin Blom, Anna.

Error Management with Design Contracts Karlstad University Computer Science Error Management with Design Contracts Eivind J. Nordby, Martin Blom, Anna.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.

AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Patterns for Secure Boot and Secure Storage in Computer Systems By: Hans L¨ohr, Ahmad-Reza Sadeghi, Marcel Winandy Horst G¨ortz Institute for IT Security,

Patterns for Secure Boot and Secure Storage in Computer Systems By: Hans L¨ohr, Ahmad-Reza Sadeghi, Marcel Winandy Horst G¨ortz Institute for IT Security,
The OWASP Way Understanding the OWASP Vision and the Top Ten.

The OWASP Way Understanding the OWASP Vision and the Top Ten.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Robust Defenses for Cross-Site Request Forgery CS6V81 - 005 Presented by Saravana M Subramanian.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

Similar presentations

Ads by Google