Escolar Documentos
Profissional Documentos
Cultura Documentos
Eric Sheridan
Aspect Security, Inc.
eric.sheridan@aspectsecurity.com
OWASP
11-14-2007
The OWASP
http://www.owasp.org
Foundation
Overview
OWASP 2
The Browser Same Origin Policy
bank.com
XHR
TAG
TAG XHR
JS
blog.net
document, cookies
OWASP 3
Cross-Site Request Forgery
bank.com
Go to Transfer Assets
Select FROM Fund
https://bank.com/fn?param=1
Select TO Fund
https://bank.com/fn?param=1
Select Dollar Amount
https://bank.com/fn?param=1
Submit Transaction
https://bank.com/fn?param=1
Confirm Transaction
https://bank.com/fn?param=1
https://bank.com/fn?param=1
OWASP 4
How Does CSRF Work?
Tags
<img src=https://bank.com/fn?param=1>
<iframe src=https://bank.com/fn?param=1>
<script src=https://bank.com/fn?param=1>
Autoposting Forms
<body onload="document.forms[0].submit()">
<form method="POST" action=https://bank.com/fn>
<input type="hidden" name="sp" value="8109"/>
</form>
XmlHttpRequest
Subject to same origin policy
OWASP 5
Credentials Included
bank.com
https://bank.com/fn?param=1
JSESSIONID=AC934234
blog.net
OWASP 6
New Tool: OWASP CSRFTester
OWASP 7
DEMO: OWASP CSRFTester
OWASP 8
What Can Attackers Do with CSRF?
OWASP 9
Using CSRF to Attack Internal Pages
attacker.com
internal browser
CSR
F
TAG
Internal
Allowed! Site
internal.mybank.com
OWASP 10
Misconceptions Defenses That Dont
Work
Only accept POST
Stops simple link-based attacks (IMG, frames, etc.)
But hidden POST requests can be created with frames, scripts, etc
Referer checking
Some users prohibit referers, so you cant just require referer headers
Techniques to selectively create HTTP request without referers exist
URL Rewriting
General session id exposure in logs, cache, etc.
OWASP
New Tool: OWASP CSRFGuard 2.0
Actions:
Log
Invalidate
Redirect
http://www.owasp.org/index.php/CSRFGuard
OWASP 12
DEMO: OWASP CSRFGuard 2.0
OWASP 13
Similar Implementations
PHP CSRFGuard
PHP Implementation of CSRFGuard
http://www.owasp.org/index.php/PHP_CSRF_Gu
ard
JSCK
PHP & JavaScript implementation
http://www.thespanner.co.uk/2007/10/19/jsck/
OWASP 14
DEMO: Cross-Site Scripting vs.
CSRFGuard
OWASP 15
Enterprise CSRF Mitigation Strategy
OWASP 16
http://www.owasp.org/index.php/Cross-Site_Request_Forgery
http://www.cgisecurity.com/articles/csrf-faq.shtml
http://www.darkreading.com/document.asp?
doc_id=107651&WT.svl=news1_2
OWASP
Extra: How Widespread Are CSRF
Holes?
Very likely in most web applications
Including both intranet and external apps
Including Web 1.0 and Web 2.0 applications
Any function without specific CSRF defenses is
vulnerable
OWASP 18
Extra: Real World CSRF Examples
<iframe style="display:none"
src="http://www.google.com/setpre
fs?hl=xx-klingon&submit2=Save
%20Preferences
%20&prev=http://www.google.co
m/&q=&submit= Save%20Preferences
%20"></iframe>
<img
src=http://www.netflix.com
/AddToQueue?
movieid=70011204 width="1"
height="1" border="0">
OWASP
19
Extra: CSRF Defenses
CAPTCHA
Attacker must know CAPTCHA answer
Assuming a secure implementation
Re-Authentication
Password Based
Attacker must know victims password
If password is known, then game over already!
One-Time Token
Attacker must know current token
Very strong defense!
OWASP 20