Preparing for the Cross Site Request Forgery Defense

Similar documents
WHY CSRF WORKS. Implicit authentication by Web browsers

Common Websites Security Issues. Ziv Perry

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CSCD 303 Essential Computer Security Fall 2017

CSCD 303 Essential Computer Security Fall 2018

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Application vulnerabilities and defences

Web basics: HTTP cookies

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Client Side Injection on Web Applications

CIS 4360 Secure Computer Systems XSS

CSC 482/582: Computer Security. Cross-Site Security

CS 161 Computer Security

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Hacking Intranet Websites from the Outside

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Introduction to Ethical Hacking

Web Application Security. Philippe Bogaerts

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Multi-Post XSRF Web App Exploitation, total pwnage

Content Security Policy

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

CSC 405 Computer Security. Web Security

CSCE 813 Internet Security Case Study II: XSS

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

GOING WHERE NO WAFS HAVE GONE BEFORE

Preventing Image based Cross Site Request Forgery Attacks

Sichere Software vom Java-Entwickler

Robust Defenses for Cross-Site Request Forgery Review

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Web Security: Web Application Security [continued]

Solutions Business Manager Web Application Security Assessment

RKN 2015 Application Layer Short Summary

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Security. Aggelos Kiayias Justin Neumann

Welcome to the OWASP TOP 10

COMP9321 Web Application Engineering

Web Application Threats and Remediation. Terry Labach, IST Security Team

WEB SECURITY: XSS & CSRF

Penetration Testing. James Walden Northern Kentucky University

Cross Site Request Forgery

Web Security, Summer Term 2012

Web Security, Summer Term 2012

More attacks on clients: Click-jacking/UI redressing, CSRF

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Penetration Test Report

WebGoat& WebScarab. What is computer security for $1000 Alex?

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Security II. Slides from M. Hicks, University of Maryland

Cross-Site Request Forgery in Cisco SG220 series

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

F5 Big-IP Application Security Manager v11

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Certified Secure Web Application Engineer

Web Security: Vulnerabilities & Attacks

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Progress Exchange June, Phoenix, AZ, USA 1

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Web Application Vulnerabilities: OWASP Top 10 Revisited

INNOV-09 How to Keep Hackers Out of your Web Application

Cross-Site Request Forgery

Automatically Checking for Session Management Vulnerabilities in Web Applications

COMP9321 Web Application Engineering

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Robust Defenses for Cross-Site Request Forgery

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Web Security IV: Cross-Site Attacks

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Black Hat Europe 2006

EasyCrypt passes an independent security audit

Information Security CS 526 Topic 11

Fortify Software Security Content 2017 Update 4 December 15, 2017

OWASP Top 10 The Ten Most Critical Web Application Security Risks

How to perform the DDoS Testing of Web Applications

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Project 2: Web Security

Assignment 6: Web Security

Client-Side Security Using CORS

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

OWASP TOP 10. By: Ilia

Sichere Webanwendungen mit Java

Acknowledgments... xix

CSWAE Certified Secure Web Application Engineer

Information Security CS 526 Topic 8

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Web Application Security GVSAGE Theater

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Transcription:

Preparing for the Cross Site Request Forgery Defense By Chuck Willis chuck.willis@mandiant.com Presented at Black Hat Briefings DC 2008 on February 20, 2008 Slides available at www.blackhat.com. Abstract: Computer Forensic cases often involve an analysis of a user s web browser s cache and history in order to reconstruct actions that a user took online. Corporations also routinely monitor Internet activity of users and illicit or inappropriate use can result in disciplinary actions. These and other types of online investigations also involve looking at third-party web sites and applications for actions that can be attributed to a user of interest. This paper and the associated presentation will describe how all of these types of investigations can be mislead by an incredibly common web vulnerability known as Cross Site Request Forgery. This type of forgery can be used to force a user to submit data to online web applications and also can manipulate a user s local cache and history. Using this vulnerability a user can be forced to make Internet searches, fetch arbitrary image files or web pages, post messages to online forums, or even manipulate the user s account in common web sites. Also covered will be methods to detect or rule out the use of this vulnerability during an investigation. MANDIANT: Intelligent Information Security www.mandiant.com Page 1

What Is a Cross Site Request Forgery? A Cross Site Request Forgery (CSRF) is a type of web application vulnerability where a user can be forced to submit information to a web site of the attacker s choosing. CSRFs exploit the HTTP protocol's feature that a web page can include HTML elements that will cause the browser to make requests to other web sites. Like all HTTP transactions, the requests to the other sites will include the user s session information such as cookies or HTTP integrated authentication if they have an established session. Regardless of if the user has a session with the other sites, elements of those sites will be loaded in the victim's browser and can appear in the browser s cache and history. A CSRF can occur on an HTTP request using either the GET or the POST method. Example Cross Site Request Forgery 1. Login 2. Set-Cookie User's Web Browser 5. Forced Request (with Cookies) to http://target/app?param=v1&p2=v2 4. Response with Request to Target <iframe style="width:0px; height:0px; border: 0px" src="http://target/app? param=v1&p2=v2"> Target Web App (such as a Web Forum) 3. Request Attacker's Web Site (CSRF Host) Cross Site Request Forgery Hosts An attacker does not need to lure the victim to his or her own web server to create a CSRF. Many other sites can be used to host a CSRF including online forums (which often allow a user to link to an image as an avatar or as an attachment), HTML Email, photo galleries, wikis, blogs, online auctions, and E-Commerce sites. In short, any site that allows for posting links or anything like HTML can be used as a CSRF Host. Also, a CSRF could be hosted on the target web application itself, which will usually ensure that the victim has an established session with the target application. MANDIANT: Intelligent Information Security www.mandiant.com Page 2

Cross Site Request Forgeries on an Intranet One of the troubling aspects of CSRF is that the attacker does not even need to be able to access the application that is targeted by the forced request. All traffic to the application comes from the victim user, so as long as the victim can access the application, the CSRF can be performed. In addition, Intranet applications are often particularly vulnerable to CSRF since they often use Windows Integrated authentication so no login required and they often have poor access controls and logging. Cross Site Request Forgeries During Investigations During investigations and forensics, CSRFs are of interest for two reasons. First, CSRFs can cause server side state changes (which is the normal motivation for preventing CSRF in web application security). This means that actions that appear to originate from a user being investigated may have in fact been forced by another individual using a CSRF. For example, a CSRF can force a user to make search engine queries, make queries to other online sites such as photo sharing or e-commerce sites, make postings to an online forum, or make many other data submissions to sites. Also, CSRFs are of interest during investigations because of the effects that they can have on the client web browser and the client s web traffic. A CSRF can cause sites to be visited without the user s knowledge, can cause items to be written into the user's web cache, and can cause URLs to be added to the browser history (requests forced by a CSRF may or may not appear in the browser history depends on circumstances and browser). How Common Are Cross Site Request Forgery Vulnerabilities? "In fact, if you have not taken specific steps to mitigate the risk of CSRF attacks, your applications are most likely vulnerable." Chris Shiflett in 2004: http://shiflett.org/articles/cross-site-request-forgeries "No statistics, but the general consensus is just about every piece of sensitive website functionality is vulnerable [to Cross Site Request Forgery]." Jeremiah Grossman and T.C. Niedzialkowski in 2006: http://www.whitehatsec.com/home/resources/presentations/files/javascrip t_malware.pdf "Cross-Site Request Forgery (aka CSRF or XSRF) is a dangerous vulnerability present in just about every website." Jeremiah Grossman in 2006: http://jeremiahgrossman.blogspot.com/2006/09/csrf-sleeping-giant.html "Cross site request forgery is not a new attack, but is simple and devastating." "This vulnerability is extremely widespread." "All web application frameworks are vulnerable to CSRF." OWASP Top Ten 2007 at http://www.owasp.org/index.php/top_10_2007-a5 MANDIANT: Intelligent Information Security www.mandiant.com Page 3

Detecting or Ruling Out CSRF in an Investigation In order to detect or rule out Cross Site Request Forgeries during an investigation, there are several items that can be examined. These are detailed in this section. Look for pages that forced the requests in the web browser s cache: Page(s) that caused a CSRF will not always be in the cache (they could have been marked "no-cache" in the HTTP headers or in <meta equiv> tags). In some cases, the attacker may be using a CSRF host such as a web forum, wiki, or e-commerce application that does not allow the attacker to control caching of the page(s). In these cases, it is more likely that the page that forced the requests will be in the cache. Be aware of encodings of the target URL and the enclosing tag: URI and enclosing tags may be encoded in a variety of manners similar to a Cross Site Scripting attack see RSnake s Cross Site Scripting (XSS) Cheat Sheet at http://ha.ckers.org/xss.html for many examples of how the tags could be obfuscated. Hostname in URL may be replaced by an IP address in one of several formats (see IP Obfuscation Calculator in the XSS Cheat Sheet for examples of these formats). Look at the web browser's history: URLs that have been forced by a CSRF (such as in an IFRAME or an IMG tag) will normally not appear in the browser history (though they may in some cases, depending on the circumstances and browser). Pages found on disk but not in the history could be an indication of CSRF, but are more likely the result either: Browser history and cache aging differently User clearing the history Construct a timeline: The most fruitful way to detect or rule out a Cross Site Request Forgery is to construct a timeline of the user s activity. Merge data from the web browser cache, web browser history, and any other logs that you may have (Proxy, IDS, Firewall, Web Server, etc). Examine items immediately before the activity in question to determine if a CSRF may be involved. Look at the list of URLs that were typed into the address bar of the browser: This information cannot be forced. Not all browsers record a list of URLs that were typed into the browser. Users will type in the URL for only a small percentage of sites that they visit. Look at items in browser Favorites / Bookmarks: This information cannot be forced. Users will bookmark only a small percentage of sites that they visit. MANDIANT: Intelligent Information Security www.mandiant.com Page 4

Look for evidence outside of the web browser cache: For example, if you are interested in image files, look for image files outside of the cache (indicating that the user intentionally saved them). This will only find things that the user obtained from non-web sources or that the user saved from a web site. Determine if the web page is vulnerable to CSRF: This is useful if you are investigating a "traditional" CSRF issue where a state change on the server may have been forced. There is no way that a web application can prevent CSRFs that only aim to affect the local browser cache and history. If the relevant web page of application is not vulnerable to CSRF, then the information in question could not have been forced by a CSRF. Section below details how to determine if a page on a web application is vulnerable to CSRF. Checking a Site for CSRF The key characteristics of a CSRF vulnerability are that the application accepts a request that makes something occur on the server and that the attacker can determine all the parameters of that request for another user (typically in a CSRF the parameters are fixed for all users). In order to determine if a site is vulnerable to CSRF, look for prevention mechanisms in form submissions. Form submissions that cause a state change on the server should contain an unguessable parameter contained in a hidden field or in the "action" (location where the form submits). This parameter must be something that the attacker cannot determine so he or she cannot construct a link or script to execute a CSRF. See the Additional References section below for more information on detecting and preventing Cross Site Request Forgeries. Additional References For more information about Cross Site Request Forgeries, see: Wikipedia s entry on Cross Site Request Forgery available at http://en.wikipedia.org/wiki/cross-site_request_forgery The Cross-Site Request Forgery (CSRF/XSRF) FAQ by Robert Auger available at http://www.cgisecurity.com/articles/csrf-faq.shtml OWASP s page on Cross Site Request Forgery (with links to information on testing for CSRF and on CSRF prevention mechanisms) available at http://www.owasp.org/index.php/cross-site_request_forgery Cross Site Request Forgeries in the OWASP Top Ten 2007 available at http://www.owasp.org/index.php/top_10_2007-a5 MANDIANT: Intelligent Information Security www.mandiant.com Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback