CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics
Cross-Site Request Forgery Definition Example OWASP: Login: csrf.vulnerable.page Cross-Site Request Forgery Set-Cookie:session=1a2b3c; (CSRF) is an attack that forces an end user to execute POST /profile unwanted actions on a web Cookie:session=1a2b3c; application in which they're name=CSRF currently authenticated. Aaron: Bob “Con” or “Trick” a user into performing an action (Username/Password Change, csrf.attacker.page Make Purchase, etc.), without the user realizing it.
WTF: malicious WTF: Notable Exploits: malicious `GOAT worm` - Twitter WTF: malicious OWASP Top10 Appearances 2007 - A5 2010 - A5 2013 - A8 2017 - Merged or retired, but not forgotten
CSRF-Protection Types Example Passive: Login: csrf.vulnerable.page Synchronizer Token Set-Cookie:session=1a2b3c; S a m e S i t e = s t r i c t ; - Unique per user session - Large random value POST /profile/update POST /profile HTTP/1.1 418 I’M A TEAPOT Cookie:session=1a2b3c; Cookie:session=1a2b3c; - REJECT the action if the token { name=CSRF&csrf_token=largeRandomValue name=CSRF "status": “CSRF Token Required" fails validation } * Cookie SameSite Attribute Bob csrf.attacker.page
CSRF-Protection Types Example Passive: Login: csrf.vulnerable.page Synchronizer Token Set-Cookie:session=1a2b3c; S a m e S i t e = s t r i c t ; - Unique per user session - Large random value POST /profile HTTP/1.1 418 I’M A TEAPOT Cookie:session=1a2b3c; - REJECT the action if the token { name=CSRF&csrf_token=fake "status": “Invalid CSRF Token" fails validation } * Cookie SameSite Attribute Bob Active: csrf.attacker.page User Interaction - Authenticate, CAPTCHA, etc.
Single Page Application About Example Angular, Node, Sails, Express, etc. Login: csrf.vulnerable.page Set-Cookie:session=1a2b3c; - Dynamically Updated Pages (AJAX) - Clean modern feel - Responsive POST /v2/api/user HTTP/1.1 Content-Type: application/json OPTIONS /v2/api/user HTTP/1.1 {"name":"Bob @ Lunch"} Bob csrf.attacker.page
NON SIMPLE PUT DELETE PATCH audio/aac application/x-abiword application/x-freearc video/x-msvideo application/vnd.amazon.ebook application/octet-stream Non “simple-requests” require CORS preflight image/bmp application/x-bzip application/x-bzip2 application/x-csh text/css text/csv application/msword application/vnd.ms-fontobject application/epub+zip image/gif text/html image/vnd.microsoft.icon text/calendar Simple Request application/java-archive image/jpeg text/javascript Simple Method: application/json GET | POST | HEAD application/ld+json audio/midi audio/x-midi text/javascript Simple Headers: Accept, Accept-Language, Content-Language audio/mpeg Content-Type: video/mpeg Valid enctype for <form> element CORS application/vnd.apple.installer+xml application/x-www-form-urlencoded application/vnd.oasis.opendocument.presentation multipart/form-data SIMPLE application/vnd.oasis.opendocument.spreadsheet text/plain GET application/vnd.oasis.opendocument.text POST Cross Origin Resource Sharing audio/ogg video/ogg application/ogg font/otf FORMS image/png application/pdf application/vnd.ms-powerpoint application/json is not “simple” application/vnd.openxmlformats-officedocument.presentationml application/x-rar-compressed application/rtf application/x-sh image/svg+xml Preflight application/x-shockwave-flash application/x-tar image/tiff font/ttf application/vnd.visio Send OPTIONS with: audio/wav audio/webm video/webm Access-Control-Request-* image/webp font/woff font/woff2 Server responds with: application/xhtml+xml application/vnd.ms-excel Access-Control-Allow-* application/vnd.openxmlformats-officedocument.spreadsheetml Everything matches: application/xml text/xml application/vnd.mozilla.xul+xml Send request application/zip video/3gpp audio/3gpp video/3gpp2 audio/3gpp2 application/x-7z-compressed
C.O.R.S is not a security specification
Single Page (Misconfiguration) About Example Preflight check is only triggered Login: csrf.vulnerable.page when a request IS NOT simple. Set-Cookie:session=1a2b3c; text/plain IS simple POST /v2/api/user HTTP/1.1 POST /v2/api/user HTTP/1.1 Content-Type: application/json Content-Type: text/plain {"name":"bob"} {"name":"bob"} Bob csrf.attacker.page
POST /v2/api/user Host: csrf.vulnerable.page Content-Type: application/json Cookie:session=1a2b3c; {“name”: “CSRF-JSON”} Login: safe.com/v2/ Set-Cookie:session=1a2b3c; HTTP/1.1 307 Temporary Redirect Location: https://csrf.vulnerable.page/v2/api/user safe.com csrf.attacker.page POST /final/redir.php?endpoint=https://csrf.vulnerable.page/v2/api/user Host: csrf.attacker.page Content-Type: application/json test.swf?endpoint=https://csrf.vulnerable.page/v2/api/user Bob &reqmethod=POST {“name”:“CSRF-JSON”} &ct=application/json &jsonData={%22name%22:%22CSRF-JSON%22} &php_url=https://csrf.attacker.page/redir.php csrf.attacker.page or Preflight Bypass
was Flash used? Implemented Crossdomain policy pre CORS CORS preflight is bypassed Why Flash can craft HTTP requests use a 307 instead of 302 Redirect? The only difference between 307 and 302 is that 307 guarantees that the method and the body will not be changed when the redirected request is made
Active and Passive protections work
Every state changing request protected - Active e.g. Require Password - Passive e.g. Unguessable Token Final Thoughts CSRF protection included in framework - Ensure it is enabled/Tokens Validated
Goat Attack: https://nakedsecurity.sophos.com/2010/09/26/wtf-twitter-goat-viral-message-spreads/ CORS Summary: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Functional_overview CORS Specification: https://www.w3.org/TR/cors/ Simple Content-Types: https://www.w3schools.com/tags/att_form_enctype.asp SWF CSRF: https://github.com/sp1d3r/swf_json_csrf Redirect Summary: https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections CSRF Prevention: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet CSRF General: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Feature Checker: https://caniuse.com/#feat=same-site-cookie-attribute
Recommend
More recommend
