Web Security. Course: EPL 682 Name: Savvas Savva

Transcription

1 Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell, Robust Defenses for Cross-Site Request Forgery, pub. in 15th ACM Conference, [2] L. Huang and A. Moshchuk and H. Wang, Clickjacking: Attacks and Defenses, pub. in USENIX Security Symposium, 2012.

2 Robust Defenses for Cross- Site Request Forgery Course: EPL 682 Name: Savvas Savva This presentation is based on: [1] A. Barth and C. Jackson and J. Mitchell, Robust Defenses for Cross-Site Request Forgery, pub. in 15th ACM Conference, 2008.

3 CSRF Attack CSRF = Cross-Site Request Forgery: The victim's browser, instructed by a malicious site, sent a request to an honest site. This attack: Leveraging Network Connectivity. Leveraging Browser state. Disrupts integrity of the victim session with a honest site. In login CSRF attack, an attacker uses the victim s browser to forge a cross-site request to the honest site s login URL, supplying the attacker s username and password.

4 Contribution / Contents Paper Contribution about the topic: A good explanation of the CSRF threat model. A study of current browser behavior. A proposal for an Origin header containing the information necessary for CSRF defense. A study of related session initialization vulnerabilities.

5 CSRF Definition Network Connectivity. Read Browser State. Write Browser State. In-Scope Threats Forum Poster. Web Attacker. Network Attacker.

6 Attack A: Login CSRF Attack

7 Another CSRF Attack Detailed

8 Defending Techniques Using a secret request Token: Validating using this secret token. Fraught with pitfalls. A Popular technique. Validating the HTTP Referer Header Simple technique. Referer header can be suppressed. Validating Custom Headers attached to XMLHttpRequests Ajax interface. Requires sites to valid all state-modifying requests.

9 Experiment Design Build Advertising networks and make it available from 5 April 2008 to 8 April advertisement impressions from unique IP address. GET and POST requests both over HTTP and HTTPS. Requests are generated by submitting forms, requesting images, and issuing XMLHttpRequests. Same-domain requests to the primary server and cross-domain requests to the secondary server. Log Referer header, User-Agent header, date, client s class C network, session identifier, document.referer. Did not log the client s IP address, instead logged the HMAC of client s IP address.

10 img Tag with malicious URL

11 img tag with malicious URL <script> document.write(unescape("%3cscript src='" + (document.location.protocol == " " : " + ".scorecardresearch.com/beacon.js' %3E%3C/script%3E")); </script> <noscript> <img src=" /> </noscript>

12 Execute malicious form using Http/Https POST Method

13 Experiment Results

14 Experiment Results The Referer header is suppressed more often for HTTP requests than for HTTPS requests. Browsers that suppress the Referer header also suppress the document.referrer value. But when Referer is suppressed in the network, the document.referrer value is not suppressed.

15 Experiment Results The document.referrer value being suppressed: PlayStation 3 browser does not support Opera suppresses for cross-site HTTPS request Bug in Firefox 1.0 and 1.5

16 Experiment Conclusions CSRF Defense over HTTPS HTTP: percentage (3-11%) of users HTTPS: percentage ( %) of users Site must reject requests that omit the Referer header Privacy Matters Must address privacy concerns in order to effective in large-scale deployments

17 Proposed Solution Origin Header: Privacy Includes only the information required to identify the principal that initiated the request. Sent only for POST requests. Server Behavior All state-modifying requests, including login requests, must be sent using the POST method. Server must reject any requests whose Origin header contains an undesired value.

18 Proposed Solution Origin Header: Security Analysis Rollback and Suppression, DNS Rebinding,Plug-ins Adoption Improves and unifies four other proposals and has been adopted by several working groups Implementation Browser side: WebKit, Safari, Firefox Server side: ModSecurity, Apache

19 What exactly is Origin header Improves and unifies previous proposals: Cross-Site XMLHttpRequest: The proposed standard for cross-site XMLHttpRequest included a Access-Control-Origin header to identify the origin issuing the request. XDomainRequest: The XDomainRequest API in Internet Explorer 8 Beta 1 sends cross-site HTTP requests that omit the path and query from the Referer header.

20 What exactly is Origin header Improves and unifies previous proposals: JSONRequest: The JSONRequest API for crosssite HTTP requests included a Domain header that identifies the host name of the requester. Cross-Document Messaging: The HTML 5 specification proposes a new browser API for authenticated client-side communication between HTML documents

21 To clear misleading Http Referer Header not equal to the proposed Origin Header. The Origin header is became HTML5 feature.

22 Malicious XMLHttpRequest

23 Session Initialization Authenticated as User Predictable session identifier Authenticated as Attacker Login CSRF Two common approaches to mounting an attack on session initialization HTTP Requests and Cookie Overwriting

24 HTTP Requests OpenID: 1. Web attacker visits the Relying Party (Blogger) and beings the authentication process with the Identity Provider (Yahoo!) 2. Identity Provider redirects the attacker s browser to the return to URL of the Relying Party 3. Attacker directs the user s browser to the return to URL 4. The Relying Party completes the OpenID protocol and stores a session cookie in the user s browser 5. The user is now logged in as the attacker

25 HTTP Requests PHP Cookieless Authentication: 1. The web attacker logs into the honest web site. 2. The web attacker redirects the user s browser to the URL currently displayed in the attacker s location bar. 3. Because this URL contains the attacker s session identifier, the user is now logged in as the attacker.

26 Cookie Overwriting An active network attacker can supply a Set-Cookie header over a HTTP connection to the same host name as the site and install either a Secure or a non-secure cookie of the same name Defense cannot be deployed without breaking standards and existing web apps Cookie-Integrity header

27 Related Work RequestRodeo Strips implicit authorization information from outgoing cross-site HTTP requests Breaks existing web site functionality CAPTCHA Attacker can manually solve CAPTCHAs Attacker can address captchas to be solved online from captcha solvers.

28 Conclusions Login CSRF Strict Referer validation Third-party Content Images, hyperlinks should use a framework that implements secret token validation correctly Origin header Eliminating the privacy concerns HTTPS and non-https requests both work

29 Thanks For Watching! Any Questions?

30 Clickjacking: Attacks and Defenses Course: EPL 682 Name: Savvas Savva This presentation is based on: [2] L. Huang and A. Moshchuk and H. Wang, Clickjacking: Attacks and Defenses, pub. in USENIX Security Symposium, 2012.

31 Introduction Defining clickjacking The user is tricked to click on something he didn t intend to click on. Existing defenses are insufficient This is proven in this paper with three new attack variants from existing clickjacking techniques. Clickjacking attacks can cause severe damages. Better results and more effective than Social engineering. New defense to address root causes The paper user study demonstrates its effectiveness.

32 What is Clickjacking? Simple definition: The user is tricked to click on something he didn t intend to click on. An attacker application presents a sensitive UI Element of a target application out of context to a user (e.g. hiding sensitive UI ELement by make it transparent ect). Some examples: Likejacking Sharejacking (Transparently overlaying on top of a safe UI element)

33 Defining clickjacking Formally Prerequisite: multiple mutually distrusting applications sharing the same display. An attack application compromises context integrity of another application s UI when the user acts on the UI.

34 Hiding the target Element - Likejacking Example C B Temporal integrity, for some noticeable amount of time transform to facebook page like button A Claim Your Free ipad Pro Cursorjacking is not Performed. Could be done Using CSS cursor property. Also, can perform strokejacking attack for fake blink in keyboard typing cursor and fake text input. The same appears in twitter tweet button to create the TweetBomb attack. Video link :

35 Compromise visual integrity target Hiding the target as previously shown. Use opacity 0 in css or attribute hidden. Partial overlays For example in the older trusted paypal checkout iframe. Cropping Crop elements in other visa checkout payments or the old paypal iframe and leave only a pay button.

36 Existing defenses to protect visual integrity User confirmation Degrades user experience. UI randomization Unreliable (e.g. multi-click attacks). Framebusting (X-Frame-Options) Incompatible with embedding 3rd-party objects.

37 Existing defenses to protect visual integrity Opaque overlay policy (Gazelle browser) Breaks legitimate sites. Visibility detection on click (NoScript) False positives.

38 Protecting temporal integrity Imposing a delay after displaying UI Annoying to user. None of current defenses consider pointer (Photo from Lifehacker)

39 Proposed Clickjacking Attack 1. Accessing user s webcam 2. Stealing user s 3. Revealing user s identity

40 Evaluating attacks 2064 Amazon Mechanical Turk web users Cost was 25 cents per user. Users can only participate once, and only for one Treatment. The user study on Amazon Mechanical Turk shows that people fall for these attacks with success rate 43% to 98%.

41 Accessing User s Webcam - Cursor Spoofing Attack Attack technique: cursor-spoofing Attack success: 43% (31/72)

42 Stealing User s s Double Click Attack Attack technique: pop-up window Attack success: 47% (43/90)

43 Revealing User s Identity - LikeJacking Attack Compromise web surfing anonymity. Whack-a-mole game. Attack technique: cursor-spoofing + fast-paced clicking Attack success: 98% (83/84)

44 InContext Defense Design Goals: Should support embedding 3rd-party objects. Should not prompt users for their actions. Should not break existing sites. Should be resilient to new attack vectors.

45 InContext Defense

46 Proposed InContext Defense InContext let websites mark their sensitive ui elements and then lets the browsers enforce the context integrity of user actions on the sensitive UI Elements. A set of techniques to ensure context integrity for user actions. Server opt-in approach: Let websites indicate their sensitive UIs. Let browsers enforce context integrity when users act on the sensitive UIs.

47 Ensuring visual integrity of target Dynamic OS-level screenshot comparison processing delay on click < 30ms (prototype on IE 9)

48 Ensuring visual integrity of pointer Remove cursor customization Attack success: 43% -> 16% Freeze screen around target on pointer entry Attack success: 43% -> 15% Attack success (margin=10px): 12% Attack success (margin=20px): 4% (baseline:5%) (GOOD) Lightbox effect around target on pointer entry Attack success (Freezing + lightbox): 2%

49 Accessing User s Webcam Attack Attack technique: cursor-spoofing Attack success: 43% (31/72)

50 Enforcing temporal integrity UI delay: after visual changes on target or pointer, invalidate clicks for some ms Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target

51

52 Enforcing temporal integrity UI delay: after visual changes on target or pointer, invalidate clicks for some ms Attack success (delay=250ms): 47% -> 2% (2/91) Attack success (delay=500ms): 1% (1/89) Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target Attack success: 0% (0/88)

53 Stealing User s s Double Click Attack Attack technique: pop-up window Attack success: 47% (43/90)

54 Whack-a-mole attack Exclude victims who were moving their pointer around the Like button for many seconds, and deliberating whether or not to click. Defense against clickjacking aspects: Screen freezing, margin=20px: 98% -> 16% Screen freezing, margin=20px, pointer entry delay=500ms: 4% Screen freezing, margin=20px, pointer entry delay=1000ms: 1% Social Engineering: 63% users intentionally clicked on Like button after the proposed defenses made them fully aware of this.

55 Revealing User s Identity Attack Attack technique: cursor-spoofing + fast-paced clicking Attack success: 98% (83/84)

56 Conclusion This paper demonstrates new clickjacking variants that can evade current defenses. The paper user studies show that our attacks are highly effective (success rates 43% to 98%). In the paper the InContext defense can be very effective against clickjacking.

57 Thanks For Watching! Any Questions?