Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Cross Site Request Forgery New Attacks and Defenses Collin Jackson Stanford University collinj@cs.stanford.edu (206) 963-0724 Joint work with Adam Barth and John C. Mitchell 6/25/2008

2 OWASP Outline  CSRF Defined  Attacks Using Login CSRF  Existing CSRF Defenses  CSRF Defense Proposal  Identity Misbinding

3 OWASP Threat Models  Forum Poster  Injects content onto trusted site  Sanitized (hopefully)  Web Attacker  Owns https://www.attacker.com  Free user visit  Network Attacker  Eavesdrop/corrupt normal traffic  Cannot eavesdrop/corrupt HTTPS

4 OWASP Browser vs. Web Attacker  Isolate sites  Sites can opt in to sharing information  Prevent attacker from  Abusing user’s IP address  Reading browser state associated with other sites  Writing browser state associated with other sites

5 OWASP Browser Security Policy  Same-origin policy alert(frames[0].document.cookie);  Library import  Data export

6 OWASP Problems with Data Export  Abusing user’s IP address  Can issue commands to servers inside firewall  Reading browser state  Can issue requests with cookies attached  Writing browser state  Can issue requests that cause cookies to be overwritten  “Session riding” is a misleading name

7 OWASP Cross-Site Request Forgery

8 OWASP Login CSRF

9 OWASP Payments Login CSRF

10 OWASP Payments Login CSRF

11 OWASP Payments Login CSRF

12 OWASP Payments Login CSRF

13 OWASP Inline Gadgets

14 OWASP Using Login CSRF for XSS

15 OWASP Post-XSS

16 OWASP CSRF Defenses  Secret Validation Token  Referer Validation  Custom HTTP Header Referer: http://www.facebook.com/home.php X-Requested-By: XMLHttpRequest

17 OWASP Secret Validation Token vs. Web Attacker  Hash of User ID  Attacker can forge  Session ID  Save to HTML does allow session hijacking  Session-Independent Nonce (Trac)  Can be overwritten by subdomains, network attackers  Session-Dependent Nonce (CSRFx, CSRFGuard)  Requires managing a state table  HMAC of Session ID  No extra state required

18 OWASP Keeping Secrets in NoForge  Parses HTML and appends token to hyperlinks  Dynamically created HTML lacks token  Legacy application may break unexpectedly  Token appended to all external links  Remote site can immediately CSRF referrer  No login CSRF defense  Requires a session before token is validated

19 OWASP Referer Validation  Lenient Referer checking – header is optional  Strict Referer checking – header is required Referer: http://www.facebook.com/ Referer: http://www.evil.com/attack.html  ? Referer:

20 OWASP Why use Lenient Referer Checking?  Referer may leak privacy-sensitive information http://intranet.corp.apple.com/ projects/iphone/competitors.html  Common sources of blocking:  Network stripping by the organization  Network stripping by local machine  Stripped by browser for HTTPS -> HTTP transitions  User preference in browser  Buggy user agents  Site cannot afford to block these users

21 OWASP Lenient Referer Checking vs. Web Attacker ftp://www.attacker.com/index.html javascript:" /* CSRF */ " data:text/html, /* CSRF */ … and many more Lenient Referer Checking is not secure! Don’t use it! M. Johns '06 Referer:

22 OWASP Is Strict Referer Checking Feasible? 283,945 advertisement impressions from 163,767 IP addresses

23 OWASP Custom Header  XMLHttpRequest is for same-origin requests  Can use setRequestHeader within origin  Limitations on data export format  No setRequestHeader equivalent  XHR2 has a whitelist for cross-site requests  Issue POST requests via AJAX:  No secrets required X-Requested-By: XMLHttpRequest

24 OWASP Can browsers help sites with CSRF?  Does not break existing sites  Easy to use  Allows legitimate cross-site requests  Reveals minimum amount of information  No secrets to leak  Standardized

25 OWASP Proposal: Origin Header Origin: http://www.evil.com  Privacy  Identifies only principal that initiated the request (not path or query)  Sent only for POST requests; following hyperlink reveals nothing  Usability  Authorize subdomains and affiliate sites with simple firewall rule  No need to manage secret token state  Can use redundantly with existing defenses to support legacy browsers  Standardization  Supported by W3C XHR2 and JSONRequest  Expected in IE8’s XDomainRequest SecRule REQUEST_HEADERS:Host !^www\.example\.com(:\d+)?$ deny,status:403 SecRule REQUEST_METHOD ^POST$ chain,deny,status:403 SecRule REQUEST_HEADERS:Origin !^(https?://www\.example\.com(:\d+)?)?$

26 OWASP Identity Misbinding  User is logged in to trusted site as attacker  Does not always require login CSRF  OpenID  PHP Cookieless Authentication  “Secure” cookies

27 OWASP Web Attacker vs. OpenID

28 OWASP Web Attacker vs. PHP Cookieless Authentication

29 OWASP Network Attacker vs. “Secure” Cookies  Need a browser- based solution  Cookie-Integrity  Mitigation: Don’t allow self-XSS over HTTPS

30 OWASP Conclusions  Beware of:  State-modifying GET requests  Login CSRF  Lenient Referer checking  Sloppy secret token validation  OpenID without binding to browser  PHP cookieless authentication  User opt-in to self-XSS (especially over HTTPS)  OK:  Careful secret token validation  Strict Referer checking over HTTPS  Custom headers

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.
Beware of Finer-Grained Origins

Beware of Finer-Grained Origins
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.

Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.

Similar presentations

Ads by Google