Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic and Precise Client-Side Protection against CSRF Attacks.

Published byMagnus Gray Modified over 9 years ago

Similar presentations

Presentation on theme: "Automatic and Precise Client-Side Protection against CSRF Attacks."— Presentation transcript:

1 Automatic and Precise Client-Side Protection against CSRF Attacks

2 Road Map  Background / Example  Problem of Current Countermeasures  Main Ideas  Evaluation the Assumption

3 Background  CSRF: Cross Site Request Forgery  Two domains A and B. Content of origin B initiate requests to origin A, and the browser will treat these requests as being part of the ongoing session with A.  The problem is: if the session with A is authenticated session, B can initiate privileges requests to A, without the user being involved.

4 Example POST /auth/390/NewUserStep2.ashx HTTP/1.1 Host: mdsec.net Cookie: SessionId=8299BE6B260193DA076383A2385B07B9 Content-Type: application/x-www-form- urlencoded Content-Length: 83 realname=daf&username=daf& userrole=admin&password=letmein1& confirmpassword=letmein1 <form action=”https://mdsec.net/auth/390/NewUserStep2.ashx” method=”POST”>Chapter 13 Attacking Users: Other Techniques 505 document.forms[0].submit();

5 Problem of Current Countermeasures  Server-Side:  Require server-side modifications on source code level and it may take a very long time.  Client-Side:  Too strict  Server-Proxy:  Have not published

6 Main Idea  Except expected request, client-side state is stripped from all cross-origin requests.  Expected Request: A cross-origin request from A to B is expected if B previously delegated to A.  B delegates to A if  B issues a POST request, or  B redirects to A with parameters Conclusion: When origin A trying to send request to origin B, client-side state is stripped, Unless, B trust A.

7 Main Idea  Two reasons:  Non-malicious collaboration scenarios follow this pattern.  It is hard for attacker to bypass the countermeasure.

8 Filtering Algorithm

9 Evaluating the Trusted-Delegation Assumption  Assumption: An origin won’t be attacked by a “ trusted ” origin.  Origin A trust origin B only if A post message to B or A redirect to B with parameters.  10 out of 23 hundred origins are left unprotected by the countermeasure.

10 Redirecting Search Engines http://www.google.com.hk/url? sa=t&rct=j&q=books&source=w eb&cd=3&ved=0CFAQFjAC&url =http%3A%2F%2Fwww.bookdep ository.co.uk%2F&ei=Y_2RT7LLA pKQ8wSn8bDvAw&usg=AFQjC NF8hAxvKCjeraYiftw74cony0jTk Q GET Redirect http://www.bookdepository.com/ [Trust]

11 URL shorteners http://bit.ly/IFLzqI http://www.malicious.com/2012/04/20/world/meast/ba hrain-f1-explainer/index.html?hpt=wo_c2 https://bitly.com/ Redirect http://www.malicious.com/2012/04/20/world/meast/ba hrain-f1-explainer/index.html?hpt=wo_c2

12 Questions

Download ppt "Automatic and Precise Client-Side Protection against CSRF Attacks."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
HTTP – HyperText Transfer Protocol

HTTP – HyperText Transfer Protocol
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google