Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross-site request forgery Collin Jackson CS 142 Winter 2009.

Published byAmos French Modified over 9 years ago

Similar presentations

Presentation on theme: "Cross-site request forgery Collin Jackson CS 142 Winter 2009."— Presentation transcript:

1 Cross-site request forgery Collin Jackson CS 142 Winter 2009

2 Outline Classic CSRF Server-side Defenses Advanced Attacks Proposals for client-side changes

3 Data export Many ways to send information to other origins No user involvement required Cannot read back response

4 Classic CSRF attack User visits victim site site Logs in User loads attacker's site Or encounters attacker's iframe on another site Attacker sends HTTP requests to victim Victim site assumes requests originate from itself

5 Classic CSRF Attack User credentials Cookie: SessionID=523FA4cd2E

6 DEFENSES

7 CSRF Defenses Secret Validation Token Referer Validation Custom HTTP Header Referer: http://www.facebook.com/home.php X-Requested-By: XMLHttpRequest

8 Secret Token Validation Requests include a hard-to-guess secret Unguessability substitutes for unforgeability Variations Session identifier Session-independent token Session-dependent token HMAC of session identifier See "Robust Defenses for Cross-Site Request Forgery" for a comparison of these options.

9 Secret Token Validation

10 Referer Validation

11 Referer Validation Defense HTTP Referer header Referer: http://www.facebook.com/ Referer: http://www.attacker.com/evil.html Referer: Lenient Referer validation Doesn't work if Referer is missing Strict Referer validaton Secure, but Referer is sometimes absent…  ?

12 Referer Privacy Problems Referer may leak privacy-sensitive information http://intranet.corp.apple.com/ projects/iphone/competitors.html Common sources of blocking: Network stripping by the organization Network stripping by local machine Stripped by browser for HTTPS -> HTTP transitions User preference in browser Buggy user agents Site cannot afford to block these users

13 Suppression Measurement 283,945 impressions

14 Suppression over HTTPS is low

15 Lenient Validation Vulnerability My site uses HTTPS, am I safe? Problem: Browsers do not append Referer if the source of the request is not an HTTP page ftp://attacker.com/attack.html data:text/html, … javascript:' … '

16 Strict Validation Problems Some sites allow users to post forms XSS sanitization doesn't include These sites need another defense Many sites allow users to post hyperlinks Solution: Respect HTTP verb semantics GET requests have no side effects POST requests can change state

17 Custom Header Defense XMLHttpRequest is for same-origin requests Can use setRequestHeader within origin Limitations on data export format No setRequestHeader equivalent XHR2 has a whitelist for cross-site requests Issue POST requests via AJAX: Doesn't work across domains X-Requested-By: XMLHttpRequest

18 ANNOUNCEMENTS Project 2, Mac OSX Tiger

19 ADVANCED ATTACKS

20 Broader view of CSRF Abuse of cross-site data export feature From user’s browser to honest server Disrupts integrity of user’s session Why mount a CSRF attack? Network connectivity Read browser state Write browser state Not just “session riding”

21 Login CSRF Attacker’s credentials

22 Payments Login CSRF

23

24

25

26 Rails vs. Login CSRF

27 Login CSRF Fails

28 CLIENT-SIDE DEFENSES

29 Can browsers help with CSRF? Does not break existing sites Easy to use Hard to misuse Allows legitimate cross-site requests Reveals minimum amount of information Can be standardized

30 Proposed Approaches HTTP Headers Identify the source of requests Change Referer header or add a new Origin header Send more information for POST than GET Experiment: Cross-domain POSTs out of firewall accounted for ~0.0001% of traffic Problem: Unsafe GET requests Problem: Third-party content within an origin Problem: How to handle redirects Same-origin-only cookies Doesn't help multi-domain sites: amazon.com and amazon.co.uk These sites could use other defenses

31 Conclusion Server-side defenses are required Secret token validation – use frameworks like Rails Referer validation – works over HTTPS Custom headers – for AJAX No easy solution User does not need to have an existing session for attacks to work Hard to retrofit existing applications with defenses

Download ppt "Cross-site request forgery Collin Jackson CS 142 Winter 2009."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.

A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov University of British Columbia.

The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov University of British Columbia.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Mitigating Malware Collin Jackson CS142 – Winter 2009.

Mitigating Malware Collin Jackson CS142 – Winter 2009.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Beware of Finer-Grained Origins

Beware of Finer-Grained Origins
AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.

AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Similar presentations

Ads by Google