Web Security: Session management and CSRF

Transcription

1 Web Security: Sessio maagemet ad CSRF CS 161: Computer Security Prof. Raluca Ada Popa April 5, 2018 Credit: this deck is a combiatio of my slides ad slide adaptatios from previous offerigs of this course ad from CS 241 of Prof. Da Boeh

2 Cookie policy versus same-origi policy

3 Cookie policy: whe browser seds cookie GET //URL-domai/URL-path Cookie: NAME = VALUE Server A cookie with domai = example.com, ad path = /some/path/ will be icluded o a request to

4 Cookie policy versus same-origi policy Cosider Javascript o a page loaded from a URL U If a cookie is i scope for a URL U, it ca be accessed by Javascript loaded o the page with URL U, uless the cookie has the httpoly flag set.

5 Examples cookie 1 ame = userid value = u1 domai = logi.site.com path = / o-secure cookie 2 ame = userid value = u2 domai =.site.com path = / o-secure cookie: userid=u2 cookie: userid=u1, userid=u2 cookie: oe JS o each of these URLs ca access all cookies that would be set for that URL if the httpoly flag is ot set

6 Idirectly bypassig same-origi policy usig cookie policy Sice the cookie policy ad the same-origi policy are differet, there are corer cases whe oe ca use cookie policy to bypass same-origi policy Ideas how?

7 Example Victim user browser fiacial.example.com web server Cookie domais: fiacial.example.com blog.example.com cookie jar for *.example.com blog.example.com web server (assume attacker compromised this web server) Browsers maitai a separate cookie jar per domai group, such as oe jar for *.example.com to avoid oe domai fillig up the jar ad affectig aother domai. Each browser decides at what graularity to group domais.

8 Example Victim user browser fiacial.example.com web server GET example.com fiacial.example.com set-cookie: blog.example.com web server blog.example.com example.com cookie jar for *.example.com (assume attacker compromised this web server) Attacker sets may cookies with domai example.com which overflows the cookie jar for domai *.example.com ad overwrites cookies from fiacial.example.com

9 Example Victim user browser fiacial.example.com web server example.com example.com example.com example.com cookie jar for *.example.com blog.example.com web server (assume attacker compromised this web server) Attacker sets may cookies with domai example.com which overflows the cookie jar for domai *.example.com ad overwrites cookies from fiacial.example.com

10 Example Victim user browser GET fiacial.example.com web server example.com example.com example.com example.com cookie jar for *.example.com Whe Alice visits fiacial.example.com, the browser automatically attaches the attacker s cookies due to cookie policy (the scope of the cookies is a domai suffix of fiacial.example.com) Why is this a problem?

11 Idirectly bypassig same-origi policy usig cookie policy Victim thus ca logi ito attackers accout at fiacial.example.com This is a problem because the victim might thik its their accout ad might provide sesitive iformatio This bypassed same-origi policy (idirectly) because blog.example.com iflueced fiacial.example.com

12 RFC For further details o cookies, checkout the stadard RFC6265 HTTP State Maagemet Mechaism - Browsers are expected to implemet this referece, ad ay differeces are browser specific

13 Sessio maagemet

14 Sessios A sequece of requests ad resposes from oe browser to oe (or more) sites Sessio ca be log (Gmail - two weeks) or short without sessio mgmt: users would have to costatly re-autheticate Sessio mgmt: Authorize user oce; All subsequet requests are tied to user

15 Pre-history: HTTP auth Oe userame ad password for a group of users HTTP request: GET /idex.html HTTP respose cotais: WWW-Autheticate: Basic realm="password Required Browsers seds hashed password o all subsequet HTTP requests: Authorizatio: Basic ZGFddfibzsdfgkjheczI1NXRleHQ=

16 HTTP auth problems Hardly used i commercial sites User caot log out other tha by closig browser w What if user has multiple accouts? w What if multiple users o same computer? Site caot customize password dialog Cofusig dialog to users Easily spoofed

17 Sessio tokes Browser GET /idex.html GET /books.html aoymous sessio toke set aoymous sessio toke Web Site POST /do-logi Userame & password elevate to a logged-i sessio toke check credetials (later) POST /checkout logged-i sessio toke Validate toke

18 Storig sessio tokes: Lots of optios (but oe are perfect) Browser cookie: Set-Cookie: SessioToke=fduhye63sfdb Embedd i all URL liks: SessioToke=kh7y3b I a hidde form field: <iput type= hidde value= kh7y3b > ame= sessioid

19 Storig sessio tokes: problems Browser cookie: browser seds cookie with every request, eve whe it should ot (CSRF) Embed i all URL liks: toke leaks via HTTP Referer header users might share URLs I a hidde form field: short sessios oly Better aswer: a combiatio of all of the above (e.g., browser cookie with CSRF protectio usig form secret tokes)

20 Cross Site Request Forgery

21 This ew category was created by mergig 2010-A7 Isecure Cryptographic Storage & 2010-A9 - Isufficiet Trasport Thisew ewcategory categorywas was created mergig 2010-A7 Isecure Cryptographic Storage& & - -Isufficiet Trasport This byby mergig 2010-A7 Isecure Cryptographic Storage 2010-A9 - Isufficiet Trasport This ew category wascreated created by mergig 2010-A7 Isecure &2010-A A9 Isufficiet Layer Protectio, plus addig browser side sesitive data risks ascryptographic well. This ewstorage category covers sesitive data Trasport Layer Protectio, plus addig browser side sesitive data risks as well. This ew category covers sesitive data Layer plus browser side sesitive data risks as as well. This ew category covers sesitive datadata LayerProtectio, Protectio, plusaddig addig browser side sesitive data risks well. ew category sesitive protectio (other tha access cotrol which is covered by 2013-A A4 adthis 2013-A7) fromthe thecovers momet sesitive dataisis protectio (other tha access cotrol which is covered by ad 2013-A7) from momet sesitive data protectio (other tha access cotrol which is covered by 2013-A4 ad 2013-A7) from the momet sesitive data is is protectio (other tha access cotrol which is covered by 2013-A4 ad 2013-A7) from the momet sesitive data provided by the user, set to ad stored withi the applicatio, ad the the set set back backto tothe thebrowser browseragai. agai. provided by the user, set to ad stored withi the applicatio, ad provided ad stored withi thethe applicatio, ad the set back to the browser agai. providedbybythe theuser, user,set settoto ad stored withi applicatio, ad the set back to the browser agai. 5) We added: 2013-A9: Usig Kow Vulerable Compoets: 5) We Weadded: added:2013-a9: 2013-A9:Usig Usig Kow Vulerable Compoets: 5)5) Vulerable Compoets: We added: 2013-A9: UsigKow Kow Vulerable Compoets: This issue was metioed part 2010-A6 SecurityMiscofiguratio, Miscofiguratio, but ow has category ofits itsow ow asthe the Thisissue issuewas wasmetioed metioedasas as part of 2010-A6 but ow has aaacategory ++++ This part ofof 2010-A6 Security but ow has a category ofof its asas the This issue was metioed as part of 2010-A6 Security SecurityMiscofiguratio, Miscofiguratio, but ow has category of ow its ow as the growth ad depth compoet based developmet has sigificatly icreased the risk ofusig usig kow vulerable growthad addepth depthofof of compoet based developmet has sigificatly icreased the risk kow vulerable growth based developmet has sigificatly icreased the risk ofof usig kow vulerable growth ad depth ofcompoet compoet based developmet has sigificatly icreased the risk of usig kow vulerable compoets. compoets. compoets. compoets. Top web vulerabilities OWASP Top (Previous) OWASPTop Top (Previous) OWASP OWASP Top (Previous) (Previous) OWASP Top (New) OWASP Top 10 (New) OWASP (New) OWASPTop Top (New) A1 Ijectio Ijectio A1 Ijectio A1 Ijectio Ijectio A1A1 Ijectio Ijectio A1 Ijectio A3 Broke BrokeAutheticatio Autheticatioad ad Sessio Maagemet A3 Maagemet Broke Autheticatio ad Sessio Maagemet A3 Broke Autheticatio adsessio Sessio Maagemet Broke Autheticatio ad Sessio Maagemet A2A2 Broke Autheticatio ad Sessio Maagemet Broke Autheticatio ad Sessio Maagemet A2 Broke Autheticatio ad Sessio Maagemet A2 Cross-Site Cross-SiteScriptig Scriptig(XSS) (XSS) A2 A2 Cross-Site Scriptig (XSS) A2 Cross-Site Scriptig (XSS) Cross-Site Scriptig (XSS) A3A3 Cross-Site Scriptig (XSS) A3 Cross-Site Scriptig (XSS) A3 Cross-Site Scriptig (XSS) A4 Isecure IsecureDirect DirectObject ObjectRefereces Refereces A4 A4 Isecure Direct Object Refereces A4 Isecure Direct Object Refereces Isecure Direct Object Refereces A4A4 Isecure Direct Object Refereces A4 Isecure Direct Object Refereces A4 Isecure Direct Object Refereces A6 Security SecurityMiscofiguratio Miscofiguratio A6 A6 A6 Security SecurityMiscofiguratio Miscofiguratio Security Miscofiguratio A5A5 Security Miscofiguratio A5 A5 Security Security Miscofiguratio Miscofiguratio A7 A7 Isecure IsecureCryptographic CryptographicStorage Storage Merged Mergedwith witha9a9 A7 A7 Isecure IsecureCryptographic CryptographicStorage Storage Merged Mergedwith witha9 A9 A6A6 Sesitive Data Exposure Sesitive Data Exposure A6 A6 Sesitive Sesitive Data Data Exposure Exposure A8 A8 Failure FailuretotoRestrict RestrictURL URLAccess Access Broadeed Broadeedito ito A8 Failure Failureto torestrict RestrictURL URLAccess Access Broadeed Broadeedito ito A8 A7A7 Missig Fuctio Level Access Cotrol Missig Fuctio Level Access Cotrol A7 Missig Missig Fuctio Fuctio Level Level Access Access Cotrol Cotrol A7 A5 A5 Cross-Site Cross-SiteRequest RequestForgery Forgery(CSRF) (CSRF) A5 Cross-Site Cross-SiteRequest RequestForgery Forgery(CSRF) (CSRF) A5 A8A8 Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) A8 Cross-Site Cross-Site Request Request Forgery Forgery (CSRF) (CSRF) A8 <buried <buriediia6: A6:Security SecurityMiscofiguratio> Miscofiguratio> <buriediia6: A6:Security SecurityMiscofiguratio> Miscofiguratio> <buried A10 A10 Uvalidated UvalidatedRedirects Redirectsad adforwards Forwards A10 Uvalidated UvalidatedRedirects Redirectsad adforwards Forwards A10 A9 A9 Isufficiet IsufficietTrasport TrasportLayer LayerProtectio Protectio A9 Isufficiet IsufficietTrasport TrasportLayer LayerProtectio Protectio A9 A9A9 Usig Kow Vulerable Compoets Usig Kow Vulerable Compoets A9 Usig Usig Kow Kow Vulerable Vulerable Compoets Compoets A9 A10 Uvalidated Redirects ad Forwards A10 Uvalidated Redirects ad Forwards A10 Uvalidated Uvalidated Redirects Redirects ad ad Forwards Forwards A10 Merged with 2010-A7 ito ew 2013-A6 Merged with 2010-A7 ito ew 2013-A6 Merged with with 2010-A A7 ito ito ew ew 2013-A A6 Merged 21

22 HTML Forms Allow a user to provide some data which gets set with a HTTP POST request to a server <form actio="bak.com/actio.php"> First ame: <iput type="text" ame="firstame"> Last ame:<iput type="text" ame="lastame"> <iput type="submit" value="submit"></form> Whe fillig i Alice ad Smith, ad clickig submit, the browser issues HTTP POST request bak.com/actio.php?firstame=alice&lastame=smith As always, the browser attaches relevat cookies

23 Cosider cookie storig sessio toke Server assigs a sessio toke to each user after they logged i, places it i the cookie The server keeps a table of userame to curret sessio toke, so whe it sees the sessio toke it kows which user

24 Sessio usig cookies Browser Server

25 Basic picture Server Victim bak.com User Victim cookie for bak.com with sessio toke What ca go bad? Attack Server URL cotais trasactio actio

26 Cross Site Request Forgery (CSRF) Example: User logs i to bak.com w Sessio cookie remais i browser state User visits malicious site cotaiig: <form ame=f actio= <iput ame=recipiet value=badguy> <script> documet.f.submit(); </script> Browser seds user auth cookie with request w Trasactio will be fulfilled Problem: cookie auth is isufficiet whe side effects occur

27 Form post with cookie Cookie: SessioID=523FA4cd2E User credetials

28 Form post with cookie Cookie: SessioID=523FA4cd2E User credetials

29 Squigler demo

30 2008 CSRF attack A attacker could add videos to a user s "Favorites," add himself to a user s "Fried" or "Family" list, sed arbitrary messages o the user s behalf, flagged videos as iappropriate, automatically shared a video with a user s cotacts, subscribed a user to a "chael" (a set of videos published by oe perso or group), ad added videos to a user s "QuickList" (a list of videos a user iteds to watch at a later poit).

31

32 Defeses ideas?

33 CSRF Defeses CSRF toke <iput type=hidde value=23a3af01b> Referer Validatio Referer: Others (e.g., custom HTTP Header) we wo t go ito

34 CSRF toke 1. goodsite.com server wats to protect itself, so it icludes a secret toke ito the webpage (e.g., i forms as a hidde field) 2. Requests to goodsite.com iclude the secret 3. goodsite.com server checks that the toke embedded i the webpage is the expected oe; reject request if ot Ca the toke be? Dateofbirth CSRF toke must be hard to guess by the attacker

35 How toke is used! The server stores state that bids the user's CSRF toke to the user's sessio id! Embeds CSRF toke i every form! O every request the server validates that the supplied CSRF toke is associated with the user's sessio id! Disadvatage is that the server eeds to maitai a large state table to validate the tokes.

36 Other CRSF protectio: Referer Validatio Whe the browser issues a HTTP request, it icludes a referer header that idicates which URL iitiated the request This iformatio i the Referer header could be used to distiguish betwee same site request ad cross site request

37 Referer Validatio

38 Referer Validatio Defese HTTP Referer header Referer: Referer: Referer: w Strict policy disallows (secure, less usable) w Leiet policy allows (less secure, more usable) ü û?

39 Privacy Issues with Referer header! The referer cotais sesitive iformatio that impiges o the privacy! The referer header reveals cotets of the search query that lead to visit a website.! Some orgaizatios are cocered that cofidetial iformatio about their corporate itraet might leak to exteral websites via Referer header

40 Referer Privacy Problems Referer may leak privacy-sesitive iformatio projects/iphoe/competitors.html Commo sources of blockig: Network strippig by the orgaizatio Network strippig by local machie Stripped by browser for HTTPS -> HTTP trasitios User preferece i browser

41 Summary: sessios ad CSRF Cookies add state to HTTP Cookies are used for sessio maagemet They are attached by the browser automatically to HTTP requests CSRF attacks execute request o beig site because cookie is set automatically Defeses for CSRF: embed upredicatable toke ad check it later check referer header