Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byReynard Matthews Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Cross-Site Request Forgery: Danger, Detection, and Defenses Eric Sheridan Aspect Security, Inc. eric.sheridan@aspectsecurity.com 11-14-2007

2 OWASP Overview  Discussion of the “Same Origin Policy”  Overview of the “Sleeping Giant”  The Introduction of  2 New OWASP Tools  A Series of New WebGoat Labs  Enterprise CSRF Mitigation Strategy 2

3 OWASP The Browser “Same Origin” Policy 3 bank.com blog.net XHR document, cookies TAG JS

4 OWASP Cross-Site Request Forgery 4 bank.com attacker’s post at blog.net Go to Transfer Assets https://bank.com/fn?param=1 Select FROM Fund https://bank.com/fn?param=1 Select TO Fund https://bank.com/fn?param=1 Select Dollar Amount https://bank.com/fn?param=1 Submit Transaction https://bank.com/fn?param=1 Confirm Transaction https://bank.com/fn?param=1

5 OWASP How Does CSRF Work?  Tags https://bank.com/fn?param=1 https://bank.com/fn?param=1 https://bank.com/fn?param=1  Autoposting Forms https://bank.com/fn  XmlHttpRequest  Subject to same origin policy 5

6 OWASP Credentials Included 6 bank.com blog.net https://bank.com/fn?param=1 JSESSIONID=AC934234…

7 OWASP New Tool: OWASP CSRFTester  Test your applications for CSRF  Record and replay transactions  Tune the recorded test case  Run test case with exported HTML document  Test case alternatives  Auto-Posting Forms  Evil iFrame  IMG Tag  XMLHTTPRequest  Link 7

8 OWASP DEMO: OWASP CSRFTester 8

9 OWASP What Can Attackers Do with CSRF?  Anything an authenticated user can do  Click links  Fill out and submit forms  Follow all the steps of a wizard interface  No restriction from same origin policy, except…  Attackers cannot read responses from other origins  Limited on what can be done with data  Severe impact on accountability  Log entries reflect the actions a victim was tricked into executing 9

10 OWASP Using CSRF to Attack Internal Pages 10 attacker.com internal.mybank.com Allowed! CSRF Internal Site TAG internal browser

11 OWASP Misconceptions – Defenses That Don’t Work  Only accept POST  Stops simple link-based attacks (IMG, frames, etc.)  But hidden POST requests can be created with frames, scripts, etc…  Referer checking  Some users prohibit referers, so you can’t just require referer headers  Techniques to selectively create HTTP request without referers exist  Requiring multi-step transactions  CSRF attack can perform each step in order  URL Rewriting  General session id exposure in logs, cache, etc. None of these approaches will sufficiently protect against CSRF!

12 OWASP Add Token to HTML New Tool: OWASP CSRFGuard 2.0 12 User (Browser) Business Processing OWASP CSRFGuard Verify Token 1. Add token with regex 2. Add token with HTML parser 3. Add token in browser with Javascript  Adds token to:  href attribute  src attribute  hidden field in all forms  Actions:  Log  Invalidate  Redirect http://www.owasp.org/index.php/CSRFGuard

13 OWASP DEMO: OWASP CSRFGuard 2.0 13

14 OWASP Similar Implementations  PHP CSRFGuard  PHP Implementation of CSRFGuard  http://www.owasp.org/index.php/PHP_CSRF_Guard http://www.owasp.org/index.php/PHP_CSRF_Guard  JSCK  PHP & JavaScript implementation  http://www.thespanner.co.uk/2007/10/19/jsck/ http://www.thespanner.co.uk/2007/10/19/jsck/ 14

15 OWASP DEMO: Cross-Site Scripting vs. CSRFGuard 15

16 OWASP Enterprise CSRF Mitigation Strategy  Balance Between Security, Usability, and Cost 16 Challenge Response One-Time Token CAPTCHA Transaction Signing Unique Request Tokens Unique URL Token Worth the time and money?

17 OWASP http://www.owasp.org/index.php/Cross-Site_Request_Forgery http://www.cgisecurity.com/articles/csrf-faq.shtml http://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_2

18 OWASP Extra: How Widespread Are CSRF Holes?  Very likely in most web applications  Including both intranet and external apps  Including Web 1.0 and Web 2.0 applications  Any function without specific CSRF defenses is vulnerable  How do victims get attacked?  Victim simply opens an infected webpage, HTML file, or email  Single Sign On (SSO) extends “authenticated user”  CSRF recently found in 8 security appliances  Including CheckPoint 18

19 OWASP Extra: Real World CSRF Examples http://www.netflix.com /AddToQueue? movieid=70011204 19

20 OWASP Extra: CSRF Defenses  CAPTCHA  Attacker must know CAPTCHA answer  Assuming a secure implementation  Re-Authentication  Password Based  Attacker must know victims password  If password is known, then game over already!  One-Time Token  Attacker must know current token  Very strong defense!  Unique Request Tokens  Attacker must know unique request token for particular victim for particular session  Assumes token is cryptographically secure and not disclosed.  /accounts?auth=687965fdfaew87agrde … 20

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.

A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.

AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google