A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

Size: px

Start display at page:

Download "A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications"

Esther Ward
5 years ago
Views:

1 A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications Riccardo Pelizzi System Security Lab Department of Computer Science Stony Brook University December 8, / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

2 Outline CSRF Attacks 2 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

3 Outline CSRF Attacks 2 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

4 Outline CSRF Attacks 2 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

5 Outline CSRF Attacks and Q&A 2 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

6 CSRF Attacks Attacker Victim Please visit evil.com Browser Bank 3 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

7 CSRF Attacks Attacker Victim Please visit evil.com Click on link Browser Bank 3 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

8 CSRF Attacks Attacker Victim Please visit evil.com Click on link Browser POST bank.com data + cookies Bank 3 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

9 CSRF Attacks Attacker Victim Please visit evil.com Click on link Browser POST bank.com data + cookies Bank Transfer money to attacker 3 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

10 CSRF Attacks (2) Attacker Please visit evil.com Victim Click on link Browser Malicious Server Bank Server Bank Database 4 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

11 CSRF Attacks (2) Attacker Please visit evil.com Victim Click on link Browser Malicious Server Bank Server Bank Database GET evil.com Send response 4 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

12 CSRF Attacks (2) Attacker Please visit evil.com Victim Click on link Browser Malicious Server Bank Server Bank Database GET evil.com Send response Automatically submit form 4 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

13 CSRF Attacks (2) Attacker Please visit evil.com Victim Click on link Browser Malicious Server Bank Server Bank Database GET evil.com Send response Automatically submit form POST bank.com data + cookies 4 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

14 CSRF Attacks (2) Attacker Please visit evil.com Victim Click on link Browser Malicious Server Bank Server Bank Database GET evil.com Send response Automatically submit form POST bank.com data + cookies Transfer money 4 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

15 Harder: Must recognize which requests are intended. Easier: allow requests from trusted origins. 5 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

16 Harder: Must recognize which requests are intended. Easier: allow requests from trusted origins. Two techniques: Use explicit origin information. Referrer : http :// attacker. com / csrf. html Require source pages to (manually) insert a secret token in requests. <form action="transfer.php" method="post"> <input type="hidden" name="csrf-token" value="gdfgf4sjhf4fgfa-df4">... 5 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

17 Key Benefits of Our Approach How does our solution improve the state of the art? 6 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

18 Key Benefits of Our Approach How does our solution improve the state of the art? Handles requests dynamically generated on the browser from JavaScript code. 6 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

19 Key Benefits of Our Approach How does our solution improve the state of the art? Handles requests dynamically generated on the browser from JavaScript code. Can authenticate cross-origin requests. 6 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

20 Key Benefits of Our Approach How does our solution improve the state of the art? Handles requests dynamically generated on the browser from JavaScript code. Can authenticate cross-origin requests. Is compatible with all browsers and transparent to web applications and languages. 6 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

21 Overview User Browser Visit safe.com GET Proxy GET Response Server 7 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

22 Overview User Browser Visit safe.com Display page GET Modified Response Proxy GET Response Server 7 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

23 Overview User Browser Visit safe.com Display page Submit form GET Modified Response Proxy GET Response Server 7 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

24 Overview User Browser Visit safe.com Display page Submit form GET Modified Response Proxy GET Response Server adds token POST 7 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

25 Overview User Browser Visit safe.com Display page Submit form GET Modified Response Proxy GET Response Server adds token POST Verify Token POST 7 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

26 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Response 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

27 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

28 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Register submit handler for forms 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

29 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Register submit handler for forms 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

30 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Submit form Register submit handler for forms 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

31 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Submit form Handler Register submit handler for forms Copy C from cookies into form as P 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

32 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Submit form Handler Register submit handler for forms Copy C from cookies into form as P POST post.php Cookie: C Data: form data + P 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

33 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Submit form Handler Register submit handler for forms Copy C from cookies into form as P POST post.php Cookie: C Data: form data + P C == P 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

34 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Submit form Handler Register submit handler for forms Copy C from cookies into form as P POST post.php Cookie: C Data: form data + P C == P POST post.php Data: form data 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

35 Potential Attack Vectors Guess the user s token. 9 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

36 Potential Attack Vectors Guess the user s token. Steal user s token. 9 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

37 Potential Attack Vectors Guess the user s token. Steal user s token. Cause victim to use attacker s token. 9 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

38 Supporting Cross-Origin Request Scenario: Source domain S submits a request to target T. Problem: S can set authentication parameter P for T, but can t set a cookie for T. 10 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

39 Supporting Cross-Origin Request Scenario: Source domain S submits a request to target T. Problem: S can set authentication parameter P for T, but can t set a cookie for T. Approach: T gives S a capability S includes this capability into the request for T. 10 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

40 Supporting Cross-Origin Request Scenario: Source domain S submits a request to target T. Problem: S can set authentication parameter P for T, but can t set a cookie for T. Approach: T gives S a capability S includes this capability into the request for T. Challenge: capability should be usable only by one specific user. If S requests the capability from T on behalf of the user, T has nothing to bind the user to. Solution: have the browser bind the capability for T, then send it to S. 10 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

41 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

42 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form S handler 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

43 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form GET T iframe T iframe T S IFRAME handler 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

44 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form GET T iframe T iframe T S IFRAME handler XmlHttpRequest X-No-Csrf: Yes Data: S 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

45 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form GET T iframe T iframe T S IFRAME handler XmlHttpRequest X-No-Csrf: Yes Data: S Set-Cookie: C P ST P ST = AES(C S) 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

46 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form GET T iframe T iframe T S IFRAME handler Insert P ST into form postmessage P ST to S XmlHttpRequest X-No-Csrf: Yes Data: S Set-Cookie: C P ST P ST = AES(C S) 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

47 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form GET T iframe T iframe T S IFRAME handler Insert P ST into form postmessage P ST to S XmlHttpRequest X-No-Csrf: Yes Data: S Set-Cookie: C P ST P ST = AES(C S) POST post.php Cookie: C Data: form data + P ST Decrypt P ST to check for C and S 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

48 Potential Attack Vectors Guess the user s token. 12 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

49 Potential Attack Vectors Guess the user s token. Steal the user s token. 12 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

50 Potential Attack Vectors Guess the user s token. Steal the user s token. Cause victim to use attacker s token. 12 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

51 Limitations only protects POST requests. RFC 2616 mandates GET requests free of side effects Usability Issues: cannot type url or bookmark pages 13 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

52 Implementation Prototype implemented in Python as a server-side transparent proxy that includes a JavaScript file in every HTML page. Adds token to POST forms before submission. Uses jquery s live handlers to bind the token handler to all forms, including those dynamically created afterwards. Wraps existing event handlers to make transparent to them. 14 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

53 Protection Correctness is achieved by design, by relying on the Same-Origin Policy to prevent the attack scenarios presented. Tested it against two CVE vulnerabilities (RoundCube CVE , Acc PHP CVE ). 15 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

54 Compatibility Tested with popular Open-Source web applications. Future Work: develop a client-side proxy to test it with known web applications. Application Version LOC Type Compatible phpmyadmin K MySQL Administration Tool Yes SquirrelMail K WebMail Yes punbb K Bulletin Board Yes WordPress K Content-Management System Yes Drupal K Content-Management System Yes MediaWiki K Content-Management System Yes phpbb K Bulletin Board Yes 16 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

55 Related Work NoForge Dynamic Requests Support Cross-Origin Support Com- Browser patible No source code required X-Protect CSRFMagic CSRFGuard Origin SOMA 17 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

56 and Q&A Automatically protect dynamic web applications against POST-based CSRF attacks. Low overhead (if implemented as an apache module), compatible with most web applications. 18 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

57 and Q&A Automatically protect dynamic web applications against POST-based CSRF attacks. Low overhead (if implemented as an apache module), compatible with most web applications. Questions? 18 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications

Robust Defenses for Cross-Site Request Forgery

University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,