• Lecturers: VIPRET Julien and MOUGEY Camille

Intro to Web attacks CSRF

SecurIMAG

2011-05-26

WARNING: SecurIMAG is a security club at

Ensimag. Thoughts, ideas and opinions are not

related to Ensimag. The authors assume no

liability including for errors and omissions.

¡¡_ (in)security we trust _!!

Grenoble INP

Ensimag

Summary

2

CSRF, the unknown :

• Brief presentation about lecturers

• CSRF Presentation, working explanation

• How to protect myself ?

• Questions

Brief presentation about lecturers

3

VIPRET Julien

1A ENSIMAG

Next year : SLE

Beginner in computer security

Contact : vipretj__[at]__ensimag.fr

MOUGEY Camille

1A ENSIMAG

Next year : ISI

Beginner in computer security,

Web fan

Contact : mougeyc__[at]__ensimag.fr

CSRF Presentation, working explanation

(1/4)

4

• CSRF = Cross Site Request Forgery • CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference

Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many

places in their online documentation.

• Purpose : enforce a web request to a pre-authenticated user on a

website

• Principle :

1

2

3

Execution of a query with victim’s permissions, without his knowledge

Mail from Evil with a malicious link

Normal consultation of a website

<iframe src=http://www.exemple.com/admin.php?adduser=CSRF&privilege=admin>

CSRF Presentation, working explanation

(2/4)

5

• In reality : HTML <img> use, mail..

• Threats on local network too

CSRF Presentation, working explanation

(3/4)

6

• Potentially, ALL applications which retain session are

vulnerable

• The evilman has just to know the architecture of the

target application

• Open source, fired network admin, …

• Introduce fineness in attacks (Login CSRF) • Login Google, Yahoo

• Paypal

• iGoogle

• CSRF is not XSS

Aside : Login CSRF : Google, Yahoo

7

With a CSRF attacks, the user is connected on Google as « Evil »

Each Request is stored on Google « Evil » Search History

The Striker (« Evil » account owner) has now access to victim’s Search History

• Allow to get victim’s search request on Google, Yahoo

Aside : Login CSRF : iGoogle

8

Connected as victims@gmail.com

Connected as evil@gmail.com

Login CSRF Accept iGoogle Gadget with origin :

www.google.com

Inject XSS with origin : www.google.com

• Allow to use XSS with origin www.google.com (See SOP)

CSRF Presentation, working explanation

(4/4)

9

• Demonstration: ==DB-Protect 1.0==

• Real example : Or how to get the real

name of your visitors

with LIKE button

login=julien&pass=azerty&privilege=admin

How to protect myself ? (1/3)

10

• Although the HTTP specification [Tim Berners-Lee, Roy Fielding, and Henrik Frystyk.Hypertext Transfer Protocol—HTTP/1.0. RFC

1945,May 1996.] requires GET requests to be free of side effects, some sites do not comply with this requirement.

• Using only POST

• The misconception is that since the attacker cannot construct a

malicious link, a CSRF attack cannot be executed.

• Form automatically triggered on malicious website

• Referer ?

• Not adapted…

• Main reason : There are browsers which don’t send Referer

• On the same website, referer is « valid »

• But very efficient in a few cases : http://seclab.stanford.edu/websec/csrf/csrf.pdf

• Project « Origin »

2 : Browser send HTTP Referer (i.e. calling page URL)

1

2 Referer:

www.exemple.com/index.php?q=others

How to protect myself ? (2/3)

11

• Introduce entropy

• Token : o Random data

o Random variable name

• Double Validation

• /!\ : With XSS, protections can

be contourned • See SAMY Worms on MySpace (2005)

How to protect myself ? (3/3)

12

• But there are server side protections

What about a server which totally trusts alreday logged

in clients ?

• For mail :

• Don’t allow HTML automatic interpretations

• Don’t save login in the browser

• Don’t use « remember me » option

• Don’t follow suspicicious links

• Always disconnect when you’ve finished

• CRSF Prevention Cheat Sheet : https://www.owasp.org/index.php/Cross-

Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

Questions

13

• Questions ?

• Webographie Actu-Secu n°11 (February 2007). http://www.xmcopartners.com/actu-secu/actu_secu_fevrier2007.pdf "Confused Deputy" http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html Isecpartners white paper http://www.isecpartners.com/documents/XSRF_Paper.pdf Cgisecurity FAQ: http://www.cgisecurity.com/articles/csrf-faq.shtml