bypassing csrf protections
play

Bypassing CSRF Protections A Double Defeat of the Double-Submit - PowerPoint PPT Presentation

Dec 18, 2023 •564 likes •821 views

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

  1. Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern

  2. About Me • David Johansson (@securitybits) – Security consultant since 2007 – Helping clients design and build secure software – Security training – Based in London since 3 years, working for Cigital (now part of Synopsys)

  3. CSRF Protection DOUBLE-SUBMIT COOKIE PATTERN

  4. Cross-site Request Forgery • Attacker sends payload via victim’s browser • Browser automatically includes user’s identity

  5. Double-submit Cookie Pattern • Simple CSRF protection – no server-side state

  6. False Assumptions? Cookies are different! Not really true…

  7. Cookie Fixation • What if attacker can set the CSRF cookie..? • Cookie fixation can be done through: – Exploiting subdomains – Man-in-the-middle HTTP connections

  8. Double-submit Defeat #1: EXPLOITING SUBDOMAINS

  9. Malicious Subdomain • Attacker controls https://evil.example.com/ • Subdomain sets cookie for parent domain • Includes specific path

  10. Malicious Subdomain • Attacker now controls cookies sent to https://www.example.com/submit • Attacker’s CSRF cookie sent first due to longer path

  11. Vulnerable Subdomain • Controlling all subdomains doesn’t mean you’re safe • XSS in any subdomain can be exploited: <script>document.cookie = “_ csrf=a; Path=/submit; domain=example.com”;</script> • So you’re using CSP? – Cookies can still be set through meta-tags ☺ <meta http-equiv="set-cookie" content="_csrf=a; Path=/submit; domain=example.com">

  12. Double-submit Defeat #2: MAN-IN-THE-MIDDLE ATTACKS

  13. Man-in-the-Middle Attacks • HTTP origins can set cookies for HTTPS origins • Even ‘secure’ cookies can be overwritten from HTTP responses* • Attacker who MiTM any HTTP connection from victim can: – Overwrite CSRF cookie – Pre-empt CSRF cookie *The new ‘Strict Secure Cookie’ specification will prevent this (https://www.chromestatus.com/feature/4506322921848832)

  14. Overwrite CSRF Cookie

  15. Pre-empt CSRF Cookie

  16. Bypassing CSRF Protection • After fixating CSRF cookie, attacker can create successful CSRF payload

  17. Mitigations • Additional defenses to strengthen double- submit cookie pattern: – HTTP Strict Transport Security (HSTS) – Cookie Prefixes (“__Host - ” is the one you want) – Sign cookie – Bind cookie to user – Use custom HTTP header to send request token

  18. This is not the token you’re looking for… ANGULAR & CSURF

  19. AngularJS CSRF Protection • AngularJS $http service has built-in support to help prevent CSRF* • Reads token from cookie (XSRF-TOKEN) and sets custom HTTP header (X-XSRF-TOKEN) • Server needs to implement token validation • Can be used as double-submit cookie pattern if server compares cookie value with HTTP header *https://blogs.synopsys.com/software-integrity/2017/02/24/angularjs-security-http-service/

  20. AngularJS & csurf

  21. Default Value Function Body and query parameters checked first!

  22. Exploit Default Value Function = CSRF Defense Bypassed

  23. Specify Custom Value Function

  24. Summary • Double-submit Cookie Pattern based on partially incorrect assumptions • Integrity protection of cookies is very weak • Attackers can often force cookies upon other users • Be careful which token you validate against • Additional mitigations often required to strengthen the defense

  25. Thank You! Questions? @securitybits

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
Bypassing Combinatorial Protections Polynomial-Time Algorithms for Single-Peaked Electorates

Bypassing Combinatorial Protections Polynomial-Time Algorithms for Single-Peaked Electorates

Bypassing Combinatorial Protections Polynomial-Time Algorithms for Single-Peaked Electorates Markus Brill COMSOC 2010 Dsseldorf Joint work with Felix Brandt, Edith Hemaspaandra, and Lane Hemaspaandra Voting Rules C = {a,b,c,...} is a

660 views • 11 slides
ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING

ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING

ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING PRESENTED BY AHMAD MOGHIMI What is ROP A&amp;ack? q Return Oriented Programming a0ack is a technic to

656 views • 46 slides
A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides
RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

www.elvac.eu Marian Kuruc RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control, protection, data acquisition and communication Content Redesigned block of protections Global setting of measurement ranges

409 views • 10 slides
Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law Lise Johnson ljj2107@columbia.edu T-TIP Stakeholder Briefing May 21, 2014 US Law: When will a court find that the government has given an

236 views • 4 slides
Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF Presentation Vulnerability Advanced Web Technology CSRF allows to access the intranet Protection 10) XSS, CSRF and SQL Injection

559 views • 10 slides
CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site Request Forgery Definition Example OWASP: Login: csrf.vulnerable.page Cross-Site Request Forgery Set-Cookie:session=1a2b3c; (CSRF) is an attack

721 views • 14 slides
CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL Injections This month: XSS / CSRF Next month: DDoS / DoS Meetup Group for times/dates https://www.meetup.com/CLICK_HERE-exe/ Plan of Attack

1.76k views • 58 slides
More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

Software and Web Security 2 More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7 on CSRF) Section 7.2.7 on CSRF) sws2 1 2 Clickjacking &amp; UI redressing sws2 Click jacking &amp; UI

409 views • 29 slides
Agenda Who Are We? Intro To Secure Desktop What is it? What does it work?

Agenda Who Are We? Intro To Secure Desktop What is it? What does it work?

Bypassing Secure Desktops Protections Bruno Oliveira &amp; Mrcio Almeida Agenda Who Are We? Intro To Secure Desktop What is it? What does it work? Windows API Our PoC Mitigation Conclusions Who are we?

601 views • 23 slides
XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team Browser PDF / file formats B Shark movies Topics of today XSS Cross Site Scripting XSRF/CSRF Cross Site Request Forgery

893 views • 56 slides
Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application Security Information Systems A different and trickier threat - CSRF Often referred to as sleeping giant of vulnerabilities because

440 views • 16 slides
1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

INTRODUCTORY GUIDE 1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS SERVICE B A C K G R O U N D The Financial Protections Service was instigated following a recommendation of the Inquiry into the

184 views • 17 slides
Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011

Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011

Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Advanced Web Technology 10) XSS, CSRF and SQL Injection 1 Table of Contents Cross Site Request

659 views • 39 slides
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration

533 views • 34 slides
Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller Alex Matrosov Alexandre Gazet Actually 5 months of passionate reverse-engineering nights Disclaimer All the details given about BIOS Guard

968 views • 77 slides
Our Favorite XSS Filters/IDS and how to Attack Them Most recent version of slides can be

Our Favorite XSS Filters/IDS and how to Attack Them Most recent version of slides can be

Our Favorite XSS Filters/IDS and how to Attack Them Most recent version of slides can be obtained from blackhats website or http://p42.us/favxss/ About Us About Us Eduardo Vela (sirdarckcat) http://sirdarckcat.net/

1.2k views • 108 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&amp;D division of Nexusguard building next

764 views • 44 slides
Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar

Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar

Debugging the Data Plane with Anteater Haohui Mai, Ahmed Khurshid Rachit Agarwal, Matthew Caesar P. Brighten Godfrey, Samuel T. King University of Illinois at Urbana-Champaign Network debugging is challenging Production networks are

929 views • 50 slides
antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at

antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at

Easy ways to bypass antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at GovCERT-Hungary (SSNS) Email: attila.marosi@gmail.com Web: http://marosi.hu Twitter: @0xmaro Why? All of us use

285 views • 16 slides
PRAGUE-6 Trial Off-Pump Versus On-Pump Coronary Artery Bypass Graft Surgery in Patients With

PRAGUE-6 Trial Off-Pump Versus On-Pump Coronary Artery Bypass Graft Surgery in Patients With

PRAGUE-6 Trial Off-Pump Versus On-Pump Coronary Artery Bypass Graft Surgery in Patients With EuroSCORE 6 Jan Hlavicka, Zbynek Straka, Stepan Jelinek, Petr Budera, Tomas Vanek, Petr Widimsky Cardiocenter Royal Vineyards, Third

310 views • 17 slides
AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim Georgia Institute of Technology, July 27, 2017 Ab About t Us SSLab (@GT) Focusing on s ystem and security

1.25k views • 72 slides
Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge Brad Reaves * , Ethan

Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge Brad Reaves * , Ethan

Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge Brad Reaves * , Ethan Shernan ** , Adam Bates * , Henry Carter ** , Patrick T raynor * *Florida Institute for Cyber Security University of Florida **Georgia Institute of T

421 views • 23 slides

More recommend