OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
-
Upload
paul-mooney -
Category
Software
-
view
1.078 -
download
0
Transcript of OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Protecting Applications Against CSRF Attacks
Who am I?
• Host of insidethecpu.com• Software Architect at Ryanair• Specialise in performance optimisation• Creator of the Encrypted Token Pattern• Builder of A.R.M.O.R
Who I am NOT
• A security expert• Certified Ethical Hacker or otherwise• Affiliated with other security initiatives• Here to preach
Why am I here?
• A nuts-and-bolts programmer• C#• Java• Google Go• JavaScript• Etc.• Stumbled (and then dived) into security• Asked to implement OWASP Top 10
Why am I here?
• Talking about the Encrypted Token Pattern• My Blog (insidethecpu.com)• Visual Studio Magazine article• .NET Rocks• Very kindly extended an invitation
Cross Site Request Forgery (CSRF)
Anatomy of a CSRF Attack
• User logs in to mybank.com• Clicks on a malicious link• Link executes a HTTP request• Request damages the user’s data• HTTP request leverages user’s authenticated
status
De facto Defence Mechanisms
• Synchroniser Token• Double Submit Cookie
Synchroniser Token Pattern
• Uses 2 tokens and compares both on the server
• 1 token in session• 1 token on the UI• Dissimilar token pairs are rejected• User must be validated
Double Submit Cookie
• Compares 2 tokens• Both tokens held on the UI• 1 token in a cookie• 1 token in the HTTP AUTH Header• Dissimilar token pairs are rejected• User must be validated
Why roll your own?
• Existing patterns have shortcomings• Didn’t like the idea of multiple tokens• Full disclosure – I wanted to take the problem
apart to understand it more thoroughly • So what’s wrong with existing defences?
Synchroniser Token Pattern
• Requires session state• Promotes session affinity• Session is volatile• Session requires memory• Not a good fit for the cloud
Why this didn’t suit us
• Large cloud-based infrastructure• 25 – 50 million customers • Needs to be evenly balanced• Didn’t want security mechanism to direct
traffic
Double Submit Cookie
• Reliant on cookies• Cookies are a hacker’s first port of call• Susceptible to MITM attacks• Cookies can be overwritten• XSS vulnerabilities in sub-domains
circumnavigate CSRF defence
Double Submit Cookie
• mydomain.com• sub.mydomain.com has an XSS fault• Supercookies can be altered• BANG.
Where does that leave us?
• Didn’t want session• Cookies to exposed• What to do next…
What is the Encrypted Token Pattern?
• An alternative to existing CSRF defences• Leverages a single security token only• Reduces the scope of attack
Encrypted Token Pattern
1 token onlyNo Session No Cookies
Implementations
• .NET – A.R.M.O.R written in C#• Major Java version in development• Upcoming Google Go• Accepted by Visual Studio Magazine• Under scrutiny by MSDN
Don’t take my word for it
• Used by a major bank in Quebec• Used by a major Irish bank (based here)• Used by a major US education provider
How does it work?
• Single token encryption• Stored anywhere on the UI• Persisted through AJAX or form-submit• Validated on the server • Refreshed on each request
What kind of encryption?
• Rijndael 256bit (AES) by default• SHA256 hashing by default• ARMOR abstracts encryption and hashing• Easily implement other standards
Summary
• ARMOR is an alternative to existing defences• In circulation > 2 years• Well established
Further Discussions
• Happy to talk about this afterwards• Ongoing discussions on insidethecpu.com,
reddit, hackernews, stackoverflow• https://ie.linkedin.com/in/daishisystems• Questions?
• https://ie.linkedin.com/in/daishisystems