Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg On XSRF And Why You Should Care PacSec 2006 27- 30. November 2006 Martin.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg On XSRF And Why You Should Care PacSec 2006 27- 30. November 2006 Martin."— Presentation transcript:

1 Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg On XSRF And Why You Should Care PacSec 2006 27- 30. November 2006 Martin Johns

2  Martin Johns, UH, FB Inf, SVS, 20062 Me, Myself and I Martin Johns johns at informatik.uni-hamburg.de Security researcher at the University of Hamburg Member of the secologic project  Research project carried out by SAP, Commerzbank, Eurosec and the University of Hamburg  Sponsored by the German Ministry of Technology (BMWi)  Goal: Improving software security  Visit us at http://www.secologic.org

3  Martin Johns, UH, FB Inf, SVS, 20063 Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

4  Martin Johns, UH, FB Inf, SVS, 20064 Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

5  Martin Johns, UH, FB Inf, SVS, 20065 Explicit Authentication The authentication credentials are communicated by the web application URL rewriting: Session token is included in every URL Form based session tokens Immune against XSRF (actually only almost immune)

6  Martin Johns, UH, FB Inf, SVS, 20066 Implicit Authentication Automatically executed by the browser Cookies http authentication (Basic, Digest, NTLM) IP based schemes Client side SSL Potentially vulnerable to XSRF

7  Martin Johns, UH, FB Inf, SVS, 20067 Session management with cookies After the authentication form the server sets a cookie at the client’s browser As long as this cookie is valid, the client’s requests are treated as authorized

8  Martin Johns, UH, FB Inf, SVS, 20068 http authentication (Basic, Digest) ClientServer The client requests a restricted resource The server answers with a “401 Unauthorized” response This causes the client’s browser to demand the credentials The client resends the request The user’s credentials are included via the “Authorization” header Every further request to that authentication realm contains the credentials automatically GET index.html 401 Unauthorized GET index.html Authorization: h3m8dxjh 200 OK HTML data

9  Martin Johns, UH, FB Inf, SVS, 20069 IP based authentication Firewall Intranet webserver

10  Martin Johns, UH, FB Inf, SVS, 200610 Client side SSL authentication The client web browser possesses a X.509 certificate that was signed by an authority that is trusted by the web application Initial authentication:  The client has to prove his identity  For this reason, the web server demands a valid signature from the client   “SSL handshake”  Depending on the browser, the user may or may not confirm the initial handshake by entering a password (only once) If the handshake was successful, a SSL session is established between the client’s browser and the web server As long as the SSL session is valid, all request to the web server are transmitted using the negotiated credentials

11  Martin Johns, UH, FB Inf, SVS, 200611 Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

12  Martin Johns, UH, FB Inf, SVS, 200612 XSRF / Session Riding Exploits implicit authentication mechanisms Known since 2001 XSRF a.k.a. CSRF a.k.a. “Session Riding” (a.k.a. “Sea Surf”) Unknown/underestimated attack vector (compared to XSS or SQL injection) The Attack: The attacker creates a hidden http request inside the victim’s web browser This request is executed in the victim’s authentication context

13  Martin Johns, UH, FB Inf, SVS, 200613 www.bank.com XSRF / Session Riding (II) Cookie: auth_ok

14  Martin Johns, UH, FB Inf, SVS, 200614 www.bank.com XSRF / Session Riding (II) Cookie: auth_ok www.attacker.org GET transfer.cgi?am=10000&an=3422421

15  Martin Johns, UH, FB Inf, SVS, 200615 XSRF / Session Riding (III) Cause: The web application does not verify that state changing request were created “within” the web application Attack methods: Forging GET requests:  Image tag with SRC attribute that points to a state changing URL  The URL might be obfuscated by a http redirect Forging POST request:  Attacker creates an IFRAME (or a pop-up window)  The frame is filled with a HTML form  This form is submitted via JavaScript

16  Martin Johns, UH, FB Inf, SVS, 200616 XSRF / Session Riding (IV) Reflected: Attacker has to manufacture a website that hosts the origin of the hidden request Local / stored: Origin of the malicious http request is hosted on the attacked website Example: Users are allowed to post images with foreign URLs Realworld exploits State alteration of network devices JavaScript code inclusion (to enable an XSS attack) Execution of arbitrary PHP-code Intranet-Exploration (e.g., JavaScript port-scanning)  XSRF is the basis for “JavaScript Malware”

17  Martin Johns, UH, FB Inf, SVS, 200617 Example 1: Breaking Applications Vulnerable: digg.com digg.com’s frontpage is determined by the number of “diggs” a certain story gets Using XSRF a webpage was able to cause the victim’s browser to “digg” an arbitrary URL The demo page “digged” itself

18  Martin Johns, UH, FB Inf, SVS, 200618 Example 2: Causing Financial Loss Vulnerable: Netflix.com Add movies to your rental queue Add a movie to the top of your rental queue Change the name and address on your account Change the email address and password on your account (i.e., takeover your account) Cancel your account (Unconfirmed/Conjectured)

19  Martin Johns, UH, FB Inf, SVS, 200619 Example 3: Owning the Server Vulnerable: Wordpress 2.02 Wordpress’ theme editor was susceptible to XSRF Wordpress theme-files can be php-files Via XSRF an attacker could modify those files to contain arbitrary php-code

20  Martin Johns, UH, FB Inf, SVS, 200620 Example 4: Exploring the Intranet Vulnerable: (most) intranet webservers By dynamically including external images and using timed JavaScript events, a malicious website can, e.g.:  Portscan the intranet  Fingerprint existing web servers and installed applications  “JavaScript Malware”

21  Martin Johns, UH, FB Inf, SVS, 200621 XSRF / Session Riding (IV) General problem: Session Riding vulnerabilities are NOT caused by programming mistakes Completely correct code can be vulnerable The reason for Session Riding lies within http:  No dedicated authentication credential  State-changing GET requests  JavaScript “Preventing Session Riding” is actually “fixing the protocol”

22  Martin Johns, UH, FB Inf, SVS, 200622 Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

23  Martin Johns, UH, FB Inf, SVS, 200623 Misconceptions Only accepting POST requests Defends against local attacks On foreign web pages hidden POST requests can be created with frames Referrer checking Some users prohibit referrers  referrerless requests have to be accepted Techniques to selectively create http request without referrers exist: Furthermore, referrers can be spoofed with Flash

24  Martin Johns, UH, FB Inf, SVS, 200624 Method 1: Switch to explicit authentication URL rewriting: Session token is included in every URL Attention: Token leakage via proxy-logs/referrers Does not protect against local attacks  All URLs produced by the application contain the token Form based session tokens Session token is communicated via “hidden” form fields Attention: May break the “Back” button Combination of explicit and implicit mechanisms e.g. Cookies AND URL-rewriting Has to be supported by the used framework SID-leakage may still be a problem

25  Martin Johns, UH, FB Inf, SVS, 200625 Method 2: Manual Protection (I) Reflected attacks: Allow only POST requests to commit state changing requests  (as it was intended by the inventors of http) Use one-time form tokens (nonces)  This assures that the POST request’s origin was an HTML form that was provided by the web application in the first place Example:

26  Martin Johns, UH, FB Inf, SVS, 200626 Method 2: Manual Protection (II) Local attacks: Mirror all foreign content Don’t allow arbitrary URLs Only serve images from your own servers Careful: Do not allow attackers to store arbitrary data on your computers

27  Martin Johns, UH, FB Inf, SVS, 200627 Method 3: Automatic protection NoForge [1] Reverse Proxy Positioned between web application and internet Parses http responses and adds tokens to all internal URLs Drops requests, that do not contain a token Only protects applications that use cookies for session tracking [1] Nenad Jovanovic, Engin Kirda and Christopher Kruegel, Preventing Cross Site Request Forgery Attacks, IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), Baltimore, MD, August 2006, http://www.seclab.tuwien.ac.at/papers/noforge.pdf

28  Martin Johns, UH, FB Inf, SVS, 200628 Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

29  Martin Johns, UH, FB Inf, SVS, 200629 RequestRodeo: Concept Client Side Proxy or Browser Extension (“RequestRodeo”) Identification of potential fraudulent requests Removal of implicit authentication “fixing the browser”

30  Martin Johns, UH, FB Inf, SVS, 200630 Identification of suspicious requests The origin determines the state Definition: entiteld Only entitled requests are permitted to carry implicit authentication information A request’s state can be established by the browser An http request is classified as entitled only if: – It was initiated because of the interaction with a web page (i.e. clicking on a link, submitting a form or through JavaScript) and – the URLs of the originating page and the requested page satisfy the “same origin policy”

31  Martin Johns, UH, FB Inf, SVS, 200631 Proxy Solution: Processing http responses Adding tokens to URLs HTML code in http responses is processed Identification of elements that potentially causes http requests The target URLs of these elements are enhanced with a URL token The tokens are kept together with the repose’s URL in a table  This way the proxy is able determine a request’s origin “a reliable referrer” Every http request is checked for a URL token If such a token exists, the originating URL is retrieved If the domains of the request and its origin do not match, implicit authentication information gets removed

32  Martin Johns, UH, FB Inf, SVS, 200632 Removal of implicit authentication Cookies:  Remove all “Cookie”-fields from unentitled requests  A cookie’s domain value has to be respected http authentication:  Browser Extension: Triggers a new authentication dialogue for unentitled requests  Proxy: Adds token to the URL before removing the “authentication header” Client Side SSL:  Display warning web site before sending the request  Non-obstrusive: hidden and image-tag-based attacks are not noticeable by the user

33  Martin Johns, UH, FB Inf, SVS, 200633 Removal of implicit authentication (II) IP-based authentication Unentitled requests are only allowed if their target is worldreachable For this reason a “reflection sever” is employed The reflection server is hosted in a DMZ (i.e. on the other side of the cooperate inner firewall) Before allowing an unentitled request, the proxy verifies that the reflection server is able to access the request’s target Caching of checked IPs to minimize the performance penalty  Such a reflection server also protects against “JavaScript-Malware”

34  Martin Johns, UH, FB Inf, SVS, 200634 Removal of implicit authentication: IP-based auth. Inner Firewall Intranet webserver RequestRodeo Malicious site Reflection server HEAD ? OK Outer Firewall DMZ

35  Martin Johns, UH, FB Inf, SVS, 200635 Removal of implicit authentication: IP-based auth. Inner Firewall Intranet webserver RequestRodeo Malicious site Reflection server ? Outer Firewall DMZ HEAD DENY 

36  Martin Johns, UH, FB Inf, SVS, 200636 Implementation Proxy [1]: Implemented in Python Using the “Twisted” framework Will be released on www.secologic.org Browser Extension: Extension for Firefox Under development [1] "RequestRodeo: Client Side Protection against Session Riding“, Martin Johns and Justus Winter, in Proceedings of the OWASP Europe 2006 Conference by Piessens, F. (ed.), Report CW448, Katholieke Universiteit Leuven, 2006

37  Martin Johns, UH, FB Inf, SVS, 200637 Discussion Conservative Approach: Connections are allowed Only removal of implicit authentication Request to public resources are uninhibited With small modifications also usable at the server side Limitations: No protection against “local” attacks Proxy solution:  NTLM / Client Side SSL not implemented Future work Addition of anti XSS techniques

38  Martin Johns, UH, FB Inf, SVS, 200638 Agenda Web Application Authentication XSRF / Session Riding Server Side Countermeasures Client Side Protection Conclusion

39  Martin Johns, UH, FB Inf, SVS, 200639 Conclusion Session Riding is problematic! Correct looking code can be vulnerable! Programmers: Use nonces whenever possible Users: Logout!

40  Martin Johns, UH, FB Inf, SVS, 200640 The end Thank you for your attention Questions? Comments?

Download ppt "Fachbereich Informatik SVS – Sicherheit in Verteilten Systemen Universität Hamburg On XSRF And Why You Should Care PacSec 2006 27- 30. November 2006 Martin."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET

Similar presentations

Ads by Google