Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1...
Transcript of Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1...
![Page 1: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/1.jpg)
Web security: OWASP project,
CSRF threat and solutions.
Fabio Lombardi
©2014 Bonitasoft
![Page 2: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/2.jpg)
About me
• Since 2013
– Research & Development Engineer @Bonitasoft
• Past:
– 2 years as Web Penetration Tester Consultant
– Post-graduate studies in IT Security and Software
engineering
©2014 Bonitasoft 2
BPM open source
world leader
![Page 3: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/3.jpg)
©2013 Bonitasoft 3
![Page 4: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/4.jpg)
©2014 Bonitasoft 4
![Page 5: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/5.jpg)
©2014 Bonitasoft 5
In the US
$5,400,000 Average organization cost
of a data breach
$277 Average cost per stolen
record
~ 10,000 Cyber attacks attempts against the US
Navy since this talk started
From a 2013 Fonemon institute study: Cost of Data Breach Study: Global Analysis
#
![Page 6: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/6.jpg)
©2014 Bonitasoft 6
From a 2013 Fonemon institute study: Cost of Data Breach Study: Global Analysis
... and in Europe
![Page 7: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/7.jpg)
©2014 Bonitasoft 7
Ref: http://www-935.ibm.com/services/us/en/it-services/security-services/data-breach/
![Page 8: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/8.jpg)
It’s not just about money...
©2014 Bonitasoft 8
233 million users
1 million people thousands credit cards
800,000 users 200,000 snapchats photos
personal photos leakage
![Page 9: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/9.jpg)
©2014 Bonitasoft 9
![Page 10: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/10.jpg)
©2014 Bonitasoft 10
Security has to be taken into account
![Page 11: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/11.jpg)
©2014 Bonitasoft 11
How to change things?
![Page 12: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/12.jpg)
©2014 Bonitasoft 12
The reference for web application security
https://www.owasp.org
https://www.youtube.com/user/OWASPGLOBAL
LAPSE+ plugin for code source analysis
![Page 13: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/13.jpg)
©2014 Bonitasoft 13
Example of a vulnerability description
Ref: https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)
... ... ... ... ...
... ...
... ...
![Page 14: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/14.jpg)
©2014 Bonitasoft 14
Ref: https://www.veracode.com/blog/2012/06/building-secure-web-applications-infographic
![Page 15: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/15.jpg)
©2014 Bonitasoft 15
CSRF (Cross-Site request forgery)
• Not well known ( w.r.t. XSS or SQLInjection)
• Impacts
– Malicious money transfers
– User creation
– Privilege escalation
– Compromise end user data
– The entire web application can be compromised
– ...
![Page 16: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/16.jpg)
©2014 Bonitasoft 16
CSRF: The attack
User
My-site.com
Attacker web page
data
![Page 17: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/17.jpg)
CSRF: The attack
©2014 Bonitasoft 17
1
User
My-site.com
1
Attacker web page
data The user logs-in to My-
site.com
![Page 18: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/18.jpg)
CSRF: The attack
©2014 Bonitasoft 18
1 2
User
My-site.com
1
Attacker web page
data The user logs-in to My-
site.com
2 My-site.com sends back a
session cookie
![Page 19: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/19.jpg)
CSRF: The attack
©2014 Bonitasoft 19
1 2
User
My-site.com
1
Attacker web page
data The user logs-in to My-
site.com
2 My-site.com sends back a
session cookie
3 The user is authorized to
make API calls
3
![Page 20: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/20.jpg)
CSRF: The attack
©2014 Bonitasoft 20
1 2
4
User
My-site.com
1
Attacker web page
data The user logs-in to My-
site.com
2 My-site.com sends back a
session cookie
4 The user simply browses
the malicious web page
3 The user is free to make
API calls
3
![Page 21: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/21.jpg)
CSRF: The attack
©2013 Bonitasoft 21
1 2
4
User
My-site.com
5
1
Attacker web page
data The user logs-in to My-
site.com
2 My-site.com sends back a
session cookie
4 The user simply browses
the malicious web page
5
The malicious web page
makes blind API calls on
the user behalf on my-
site.com
3 The user is free to make
API calls
3
![Page 22: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/22.jpg)
CSRF: The attack
©2014 Bonitasoft 22
1 2
4
User
My-site.com
5
1
Attacker web page
data The user logs-in to My-
site.com
2 My-site.com sends back a
session cookie
4 The user simply browses
the malicious web page
5
The malicious web page
makes blind API calls on
the user behalf on my-
site.com
3 The user is free to make
API calls
3
6
6 Data is compromised
![Page 23: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/23.jpg)
The Attacker web page
• Example:
– A popular web site clone ( phishing tools ) + hidden:
• attack_payload.html:
• action="http://my-site.com/API/users" works using the session cookie
obtained from my-site.com page
– Generates a HTTP POST call to my-site.com on user behalf – A new user is created
©2014 Bonitasoft 23
<iframe src=./attack_payload.html width=0 height=0> </iframe>
![Page 24: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/24.jpg)
Why the attack works?
©2014 Bonitasoft 24
• It's due to a web browser feature
• The session is kept alive for multiple browser tabs
![Page 25: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/25.jpg)
The attack weaknesses
©2014 Bonitasoft 25
• The attacker only attempts blind attacks
– Cannot read the HTTP response
– Cannot read the session cookie
Request
Response
![Page 26: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/26.jpg)
CSRF: Solution
©2014 Bonitasoft 26
User
My-site.com
Attacker web page
data
![Page 27: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/27.jpg)
CSRF: Solution
©2014 Bonitasoft 27
1
User
My-site.com
1
Attacker web page
data
The user logs-in to My-site.com
![Page 28: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/28.jpg)
CSRF: Solution
©2014 Bonitasoft 28
1 2
User
My-site.com
1
Attacker web page
data
The user logs-in to My-site.com
2
My-site.com sends back a
session cookie + X-API-Token
in the response header
![Page 29: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/29.jpg)
CSRF: Solution
©2014 Bonitasoft 29
1 2
User
My-site.com
1
Attacker web page
data
The user logs-in to My-site.com
2
My-site.com sends back a
session cookie + X-API-Token
in the response header
3 The user has to resend the X-
API-Token in the request
header of further API calls
3
![Page 30: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/30.jpg)
CSRF: Solution
©2014 Bonitasoft 30
1 2
4
User
My-site.com
1
Attacker web page
data
The user logs-in to My-site.com
2
My-site.com sends back a
session cookie + X-API-Token
in the response header
4 The user simply browses the
malicious web page
3 The user has to resend the X-
API-Token in the request
header of further API calls
3
![Page 31: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/31.jpg)
CSRF: Solution
©2014 Bonitasoft 31
1 2
4
User
My-site.com
5
1
Attacker web page
data
The user logs-in to My-site.com
2
My-site.com sends back a
session cookie + X-API-Token
in the response header
4 The user simply browses the
malicious web page
5 The malicious web page
blindly attempts to make the
API call but without knowing
the X-API-Token
3 The user has to resend the X-
API-Token in the request
header of further API calls
3
![Page 32: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/32.jpg)
CSRF: Solution
©2014 Bonitasoft 32
1 2
4
User
My-site.com
5
1
Attacker web page
data
The User logs in My-site.com
2
My-site.com sends back a
session cookie + X-API-Token
in the response header
4 The user simply browses the
malicious web page
5 The malicious web page
blindly attempts to make the
API call but without knowing
the X-API-Token
3 The user has to resend the X-
API-Token in the request
header of further API calls
3
The call is rejected as
unauthorized
![Page 33: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/33.jpg)
Solution: server side
©2014 Bonitasoft 33
• Token generation
• Token check
![Page 34: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/34.jpg)
Solution: client side
©2014 Bonitasoft 34
• Session initialization
• API Requests
![Page 35: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/35.jpg)
OWASP Eclipse plugin
©2014 Bonitasoft 35
https://www.owasp.org/index.php/OWASP_LAPSE_Project
https://code.google.com/p/lapse-plus/
http://suif.stanford.edu/~livshits/work/lapse/index.html
Static code analysis for detecting the some OWASP vulnerabilities.
Three steps:
Vulnerability Source, Vulnerability Sink and Provenance Tracker
![Page 36: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/36.jpg)
©2014 Bonitasoft 36
![Page 37: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/37.jpg)
©2014 Bonitasoft 37
![Page 38: Web security: OWASP project, CSRF threat and solutions. · CSRF: The attack ©2014 Bonitasoft 22 1 2 4 User My-site.com 5 1 Attacker web page data The user logs-in to My- site.com](https://reader030.fdocuments.us/reader030/viewer/2022040411/5ed73b5dd37f9f58ca6a83db/html5/thumbnails/38.jpg)
©2014 Bonitasoft 38
Thank you
@lomba_fabio
fr.linkedin.com/pub/fabio-lombardi/27/833/660/