csrf recall session using cookies
play

CSRF Recall: Session using Cookies Browser Server POST/login.cgi - PowerPoint PPT Presentation

Nov 20, 2022 •176 likes •363 views

CSRF Recall: Session using Cookies Browser Server POST/login.cgi r o a t c i n t e h t u a e : i o k o c t - e S G E T C o o k i e : a u t h e n t i c a t o r e s n o p s e r How it

  1. CSRF

  2. Recall: Session using Cookies Browser Server POST/login.cgi r o a t c i n t e h t u a e : i o k o c t - e S G E T … C o o k i e : a u t h e n t i c a t o r e s n o p s e r

  3. How it works 3 - form is submitted on bank.com 4 - bank.com helpfully transfers money into trout’s account 2 - evil.fish includes form on bank.com 1-user goes to evil.fish

  4. Cross Site Request Forgery • Example: • User logs in to bank.com • Session cookie remains in browser state • User visits another site containing: <form name=F action=http://bank.com/BillPay.php> <input name=recipient value=badguy> … <script> document.F.submit(); </script> • Browser sends user auth cookie with request • Transaction will be fulfilled • Problem: • Cookie auth is insufficient when side effects occur

  5. Ineffective CSRF Defense: POST • GET requests are easier to launch CSRF attacks, so some people naively switch to POSTs • This does not help

  6. Ineffective Defense: URL Rewriting • CSRF exploits work because cookies are used for authentication • So why not encode the authentication token in the URL instead? • Assuming token is random, this protects against CSRF attacks • But: dangerous to pass auth tokens in URLs (middleperson, logging issues)

  7. Imperfect Defense: Referer Validation

  8. Referer Validation Defense • HTTP Referer header • Referer: http://www.facebook.com/ • Referer: http://www.attacker.com/evil.html • Referer: • Lenient Referer validation • Doesn't work if Referer is missing • Strict Referer validaton • Secure, but Referer is sometimes absent…

  9. Referer Privacy Problems • HTTP Referer may leak privacy-sensitive information • REFERER: http://intranet.corp.apple.com/projects/iphone/ competitors.html • Common sources of blocking: • Network stripping by the organization • Network stripping by local machine • Stripped by browser for HTTPS -> HTTP transitions • User preference in browser • Buggy user agents • Site cannot afford to block these users

  10. Defenses • Form keys • CSRF tokens • Short cookie expiration date • Encourage users to log out

  11. CSRF Token • Requests include a hard-to-guess secret • Unguessability substitutes for unforgeability • Variations • Session identifier • Session-independent token • Session-dependent token • HMAC of session identifier

  12. Token Validation

  13. Token Validation

  14. Blocking an Attack

  15. Double-Submitted Cookies • Secret tokens are great, but they require the server to maintain state for every session • Solution: double-submitted cookie! • Instead of writing separate nonce, re-use the session ID • When server replies to user, writes session ID to cookie as usual, plus writes into hidden form field • User posts form with value from hidden field and cookie, server verifies these are same

  16. Double-Submitted Cookies • Why does this defense work? • Attacker cannot reliably guess session ID (unless there is also an XSS vuln) • Solution is completely stateless • Downside: passing session IDs in HTTP requests and responses is risky • Solution: put hash(session ID) in hidden form field instead

  17. Exercise • https://google-gruyere.appspot.com/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

1.77k views • 148 slides
Cookie Protocol Server sets cookies in response header: Set-Cookie: session=0x4137f;

Cookie Protocol Server sets cookies in response header: Set-Cookie: session=0x4137f;

Cookie Protocol Server sets cookies in response header: Set-Cookie: session=0x4137f; Expires=Wed, 09 Jun 2012 10:18:14 GMT Name Value Expiration Time Browser returns cookies in headers of later requests: Cookie: session=0x4137fd6a CS

701 views • 4 slides
Cookies Cookies HTTP is stateless To &quot;remember&quot; a user we use cookies In a

Cookies Cookies HTTP is stateless To &quot;remember&quot; a user we use cookies In a

Cookies Cookies HTTP is stateless To &quot;remember&quot; a user we use cookies In a response header, we can give the user information as a cookie All subsequent requests will contain these cookies in a header Since cookies work

475 views • 10 slides
Session 20 Data Sharing &amp; Cookies 1 Reading &amp; Reference Reading Shared scopes

Session 20 Data Sharing &amp; Cookies 1 Reading &amp; Reference Reading Shared scopes

Session 20 Data Sharing Session 20 Data Sharing &amp; Cookies 1 Reading &amp; Reference Reading Shared scopes Java EE 7 Tutorial Section 17.3 Reference http state management www.ietf.org/rfc/rfc2965.txt Cookies

656 views • 23 slides
CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site Request Forgery Definition Example OWASP: Login: csrf.vulnerable.page Cross-Site Request Forgery Set-Cookie:session=1a2b3c; (CSRF) is an attack

721 views • 14 slides
Lecture 4: Session Tracking Cookies allow us to maintain state, but are somewhat clumsy to

Lecture 4: Session Tracking Cookies allow us to maintain state, but are somewhat clumsy to

Lecture 4: Session Tracking Cookies allow us to maintain state, but are somewhat clumsy to program To keep detailed state information we probably need many cookies and we must store a lot of information within them Each cookie is only

466 views • 33 slides
A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides
Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user credentials (session ID, cookies, etc.) CSRF Cross-Site Request Forgery is an attack that forces an end user to execute unwanted actions on a

428 views • 23 slides
Web Security: Session management and CSRF CS 161: Computer Security Prof. Raluca Ada Popa April

Web Security: Session management and CSRF CS 161: Computer Security Prof. Raluca Ada Popa April

Web Security: Session management and CSRF CS 161: Computer Security Prof. Raluca Ada Popa April 5, 2018 Credit: this deck is a combination of my slides and slide adaptations from previous offerings of this course and from CS 241 of Prof. Dan

522 views • 41 slides
Stealing Web Browser Cookies ben-holland.com Whats a cookie? Web 2.0 Cookies provide

Stealing Web Browser Cookies ben-holland.com Whats a cookie? Web 2.0 Cookies provide

Stealing Web Browser Cookies ben-holland.com Whats a cookie? Web 2.0 Cookies provide state Examples: Items in shopping cart AuthenFcaFon! Cookies Passwords! Username + Password = Cookie If I know your authenFcaFon

712 views • 7 slides
Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF Presentation Vulnerability Advanced Web Technology CSRF allows to access the intranet Protection 10) XSS, CSRF and SQL Injection

559 views • 10 slides
Preventing Session Hijacking using Encrypted One-Time-Cookies Renascence Tarafder Prapty, Shuhana

Preventing Session Hijacking using Encrypted One-Time-Cookies Renascence Tarafder Prapty, Shuhana

Preventing Session Hijacking using Encrypted One-Time-Cookies Renascence Tarafder Prapty, Shuhana Azmin, Md. Shohrab Hossain Dept of CSE, Bangladesh University of Engineering and Technology &amp; Husnu S. Narman Presentation @ WTS 2020

405 views • 23 slides
COOKIES How can apps maintain user state? Cookies! small bits of data downloaded to your

COOKIES How can apps maintain user state? Cookies! small bits of data downloaded to your

CS 498RK FALL 2017 COOKIES How can apps maintain user state? Cookies! small bits of data downloaded to your computer so that a site can remember you and what you did on subsequent visits Browser Server first request http:/

475 views • 23 slides
PEXit PRIVACY and COOKIES POLICY This PRIVACY and COOKIES POLICY conveys how PEXit collects, uses,

PEXit PRIVACY and COOKIES POLICY This PRIVACY and COOKIES POLICY conveys how PEXit collects, uses,

PEXit PRIVACY and COOKIES POLICY This PRIVACY and COOKIES POLICY conveys how PEXit collects, uses, shares, stores and manages your information. We have built our business based on (a) our integrity, (b) our sincere effort to meet your

206 views • 3 slides
IT350 Web and Internet Programming Cookies: JavaScript and Perl (Some from Chapter 11.9 -4 th

IT350 Web and Internet Programming Cookies: JavaScript and Perl (Some from Chapter 11.9 -4 th

IT350 Web and Internet Programming Cookies: JavaScript and Perl (Some from Chapter 11.9 -4 th edition and online Perl Chapter of textbook) Cookies Example 1 JavaScript: Using Cookies Cookie Data stored on _____________ to maintain

263 views • 9 slides
Should Internet Cookies Be Further Regulated by the Government? Research Presentation by

Should Internet Cookies Be Further Regulated by the Government? Research Presentation by

Should Internet Cookies Be Further Regulated by the Government? Research Presentation by Kaitlin Burdick Overview Background Arguments For the Regulation of Cookies Arguments Against the Regulation of Cookies Conclusion

319 views • 13 slides
www.frida.re @fridadotre Debugger Debuggee Debugger Debuggee bootstrapper Debugger Debuggee

www.frida.re @fridadotre Debugger Debuggee Debugger Debuggee bootstrapper Debugger Debuggee

Unlocking secrets of proprietary software using www.frida.re @fridadotre Debugger Debuggee Debugger Debuggee bootstrapper Debugger Debuggee bootstrapper-thread bootstrapper Debugger Debuggee bootstrapper-thread bootstrapper

769 views • 35 slides
Lock-Free Algorithms For Ultimate Performance Martin Thompson - @mjpt777 Modern Hardware

Lock-Free Algorithms For Ultimate Performance Martin Thompson - @mjpt777 Modern Hardware

Lock-Free Algorithms For Ultimate Performance Martin Thompson - @mjpt777 Modern Hardware Overview Modern Hardware (Intel Sandy Bridge) ... ... Registers/Buffers C 1 C n C 1 C n &lt;1ns ... ... L1 L1 L1 L1 ~3-4 cycles ~1ns ...

639 views • 45 slides
Recent Advances in Generalized Matching Theory John William Hatfield Stanford Graduate School of

Recent Advances in Generalized Matching Theory John William Hatfield Stanford Graduate School of

Recent Advances in Generalized Matching Theory John William Hatfield Stanford Graduate School of Business Scott Duke Kominers Becker Friedman Institute, University of Chicago Matching Problems: Economics meets Mathematics Conference

1.37k views • 109 slides
Run-DMA Michael Rushanan, Stephen Checkoway Johns Hopkins University, University of Illinois at

Run-DMA Michael Rushanan, Stephen Checkoway Johns Hopkins University, University of Illinois at

Run-DMA Michael Rushanan, Stephen Checkoway Johns Hopkins University, University of Illinois at Chicago 1 Introduction Arbitrary computation using Direct Memory Access engine Access all resources of the device Implement the following

677 views • 34 slides
How governments have tried to block Tor Roger Dingledine Jacob Appelbaum The Tor Project

How governments have tried to block Tor Roger Dingledine Jacob Appelbaum The Tor Project

How governments have tried to block Tor Roger Dingledine Jacob Appelbaum The Tor Project https://torproject.org/ 1 Estimated ~400,000? daily Tor users 2 Threat model: what can the attacker do? Alice Anonymity network Bob watch Alice!

831 views • 50 slides
06. Protect ction from Browser fi fingerprinting Nataliia

06. Protect ction from Browser fi fingerprinting Nataliia

06. Protect ction from Browser fi fingerprinting Nataliia Bielova @nataliabielova September 17 th =21 st , 2018 Web Privacy course University of Trento Nataliia Bielova

857 views • 20 slides
HIVeducation@aol.com I have no real or perceived conflicts of interest with any

HIVeducation@aol.com I have no real or perceived conflicts of interest with any

www.straighttalkwithcathy.com HIVeducation@aol.com I have no real or perceived conflicts of interest with any pharmaceuticals, or other companies. I am not being paid or compensated by any other organization for the following

1.09k views • 61 slides
CPL 2016, week 14 Clojure agents Oleg Batrashev Institute of Computer Science, Tartu, Estonia

CPL 2016, week 14 Clojure agents Oleg Batrashev Institute of Computer Science, Tartu, Estonia

CPL 2016, week 14 Clojure agents Oleg Batrashev Institute of Computer Science, Tartu, Estonia May 9, 2016 Overview Last weeks Clojure language core Immutable data structures Clojure simple state and design Software

226 views • 12 slides

More recommend