OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013
-
Upload
owasp-khartoum -
Category
Technology
-
view
3.236 -
download
0
description
Transcript of OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013
About the Speaker
Swiss Olympiad in Informatics
MSc in Computer Science
Abdullah Ulber
Senior Software Architect
Web Developer
Volunteer at OWASP Khartoum
OWASP Mission
"to make application security visibleso that people and organisations can make informed decisions about application security risks"
Lots of demos Lots of diagrams
Lots of stuff covered“Everything you ever wanted
to know about CSRF ”
What OWASP is NOT
Hogwarts School of Witchcraft And Wizardry
Product Neutrality
“OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.”
Introduction Motivation CharacterStudy
How CSRF Works Protections
INTRODUCTION
CSRF, pronounced "sea surf"
First mention in 2001 by Peter Watkins.
“I'm afraid CSRF is going to be a mess to deal with in many cases. Like trying to tame the seas.”
The attack withthe coolest name.
A Magic Trick
MOTIVATION
Predictions
OWASP 2007: “CSRF is more prevalent than its current ranking would indicate, and it can be highly dangerous.”
MITRE CVE Trends, May 2007:“… there will likely be a significant increase in CSRF reports.”
WhiteHat Security, July 2007:“The Sleeping Giant”
2007
Interest over Time
2005 2006 2007 2008 2009 2010 2011 2012
Unlike XSS and SQL Injection
2005 2006 2007 2008 2009 2010 2011 2012
SQL Injection
XSS
Let’s Be Fair
2005 2006 2007 2008 2009 2010 2011 2012
SQL Injection
XSS
CSRF
Total 2011 Q1 2012 Q2 2012 Q3 2012
14 1021 12
24 38
43
24
30
4027
35
3212 9
29 CSRF
Directory Traversal
XSS
SQL Injection
CSRF and XSS: The Evil Twins
Statistics by Firehost
In the News
Strike #1 Feb 2008
Strike #2 Sept 2008
Strike #3 May 2010
A Career Alternative? Aug 2012
More Victims
cPanelosCommerceAmazonEbayGmail… and countless more
A CHARACTER STUDY
Remote Control
No Damage Ceiling
Purchase of unwanted/unexpected items
Change the “Ship To:” address
Password Reset / User Account modification
Add contact or “friend”
Silent but Deadly
No browser warnings
No popups
No unusual behaviour whatsoever
Easily Mountable
No DNS manipulations
No wire-tapping
“Even a monkey can do it.”
Sneaky
Sneaky
Intranet Penetration
Administration Areas
Underestimated
Hard to detect
CSRF attacks fly under radar
Under-reported
Unprotected by Default
Unlike XSS and SQL Injection
1. Awareness of the threat
2. Knowledge of the protection
3. Use of protection
A Toxic Mix
Remote control without damage ceiling
Silent But deadly
Sneaky
Underestimated
Unprotected by default
HOW CSRF WORKS
Internet 101
GET
POST
Regular Browsing
link
form
link
form
Browser Web ServerGET
GET
POST
User Identity
On the Server: Session State
3059750700012299210
On the Client: Cookies
cnn.com
owasp.sd
3059750700
012299210
Regular Browsing With Identity
Browser Web Server
link
form
GET
POST
Prepare For Attack
POST-Based CSRFBrowser Web Server
form
Evil Web Server
JavaScript
POST
POST
From the Server’s Perspective
Web Server
Confused deputy problem
GET-Based CSRF (Poor Man’s Version)
Browser Web Server
form
Evil Web Server
image
GET
POST
PROTECTIONS
Ineffective Protections
Referer Header
The Server’s Perspective with Referer
Web Serverreferer
Corporate Information Leaks
link
referer
Behaviour Tracking
Tracking site
Tracking cookie
Real-Life Behaviour Tracking
A Helpful Venn Diagram
HTTPS
HTTPSBrowser Web Server
Evil Web Server
JavaScript
POST
formPOST
protected
Protected Cookies
httpOnly “secure”
invisible to JavaScript sent only via HTTPS
Protected Cookies: httpOnlyBrowser Web Server
Evil Web Server
JavaScript
POSTcan’t read
formPOST
can’t read
Protected Cookies: secureBrowser Web Server
Evil Web Server
JavaScript
POST
formPOST
protected
Ineffective Protections: Summary
Referer Header
HTTPS Secure Cookies
Would be the perfect solution but suffers from privacy issues.
Good in their own respects, but unfortunately do not help with CSRF.
Effective Protections
Protections by Location
BrowserUser App
Server
Server-sideClient-side
Client-Side Protections
Separation of Concerns
Use of Separate Browsers
facebook email everything else
Use of Separate BrowsersBrowser A Web Server
form
Evil Web Server
JavaScript
POST
POST
Browser B
Sign Out
Sign OutBrowser Web Server
form
Evil Web Server
JavaScript
POST
POST
Cookie Expiry
Cookie ExpiryBrowser Web Server
form
Evil Web Server
JavaScript
POST
POST
Anti-CSRF Browser Add-Ons
CsFire
NoScript: Application Boundaries Enforcer (ABE)
Request Policy
Anti-CSRF Browser Add-Ons (CsFire)
Browser Web Server
form
Evil Web Server
JavaScript
POST
POST
Anti-CSRF Browser Add-Ons (Request Policy)
Browser Web Server
form
Evil Web Server
JavaScript
POST
Server-Side Protections
The server has to defend itself.
Don’t rely on the client.
Let the client prove its legitimate origin.
The Burden of Proof
Web Server
+ proof
Re-Authentication
Re-AuthenticationBrowser Web Server
form
Evil Web Server
JavaScript
password
POST
?
CAPTCHA
Very unfriendly.
Only proves that you are human.
CAPTCHABrowser Web Server
form
Evil Web Server
JavaScript
solution
POST
?
Dual-Factor Authentication
Dual-Factor AuthenticationBrowser Web Server
form
Evil Web Server
JavaScript
POST
POST
Request Validation Token
Request Validation TokenBrowser Web Server
form
Evil Web Server
JavaScript
? POST
POST
can’t read
Double Submit Token
via cookievia form
aka “Synchroniser Token Pattern” (OWASP terminology)
Double Submit TokenBrowser Web Server
form
Evil Web Server
JavaScript
POST
?
POST
Good and Evil on the Web
Client Server
The Padlock Thief
Protect the Protection
HMAC (Hash-based message authentication code)
Protected token
Session identity
Token
?
Protected Double Submit TokenBrowser Web Server
form
Evil Web Server
JavaScript
POST
?
POST
Pluggable Protection
Web Server
CSRFGuard Library
Apache IIS
Web ApplicationModSecurity CRS Project
Java .NETPHP
Take Your Pick
User Friendliness
Effec
tiven
ess
low
high
highlow
separate browsers sign out
re-authenticate
dual factor auth.
double submit token
cookie expiry
CAPTCHA
browser add-ons
Multiple Protections
double submit token
re-authentication
dual-factor authentication
CAPTCHA
cookie expiry
All !
Take-Aways
CSRF is a clear and present danger.
The bad news
CSRF is on the rise.
There are many protections available.
The good news
Tools are your friends.
Questions?
Planned Upcoming Presentations
Hijacking Bonanza (SSL/TSL, NTLM, JSON)
Web Server Hardening (Apache/IIS)
Secure Development Practices (PHP/ASP.NET)
Application Defense in Depth
HTML5 Content Security Policy - The End of XSS ?