deemon detecting csrf with dynamic
play

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs G. - PowerPoint PPT Presentation

Sep 05, 2022 •808 likes •980 views

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs G. Pellegrino , M. Johns, S. Koch, M. Backes, C. Rossow gpellegrino@cispa.saarland ACM CCS 2017 Nov 2 nd , Dallas, USA U WONT BELIEVE WHAT DIS CAT IS DOIN !!!1! <img

  1. Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs G. Pellegrino , M. Johns, S. Koch, M. Backes, C. Rossow gpellegrino@cispa.saarland ACM CCS 2017 Nov 2 nd , Dallas, USA

  2. U WON’T BELIEVE WHAT DIS CAT IS DOIN’ !!!1! <img src="http://store.com/change_pwd.php?password=pwnd" width="0px" height="0px"/> TWEET SHARE PIN SEND EMAIL 2 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  3. Cross-Site Request Forgery Attack Look at this cat video! If credentials are valid, POST /login.php […] user= Alice&pwd=secret create and send a 200 OK session cookies Set-cookie: session=YBLqp32F GET /video.html + If cookie is valid, then GET /change_pwd.php?password=pwnd update password Cookie: session=YBLqp32F 3 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  4. The Forgotten Sleeping Giant • Popular vulnerability • Among top 10 security risks w/ XSS and SQLi [Top10_OWASP_2007-2013] • Discovered in popular websites, e.g., Gmail, Netflix, and ING • Most of previous efforts spent on countermeasures: • Origin header, synchronizer tokens, and browser plugins • A little has been done to provide techniques for the detection • Existing (semi-)automated techniques focus on input validation and logic flaws → Detection of CSRF via manual inspection 4 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  5. Challenges • Detection requires reasoning over relationships between application states, the roles and status of request parameters • Challenges: 1) CSRF targets state transitions 2) Attacker reliably create requests incl. parameters and values 3) Not all state transitions are relevant 5 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  6. 1) CSRF Targets State Transitions GET /user_data.php Show user data Cookie: session=YBLqp32F GET /change_pwd.php?password=new_secret Cookie: session=YBLqp32F Fire a state Update password transition UPDATE users SET pwd=new_secret […] • Determine when a state transition occurs • Not all operations change the state of a webapp SELECT * • E.g., View user data vs reset user password FROM users […] • Learning state transitions is possible • However, existing approach can be inaccurate or operation-specific 6 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  7. 2) Attacker Reliably Creates Requests incl. Params GET /place_order.php?token=XZR4t6q Cookie: session=YBLqp32F • Determine relationships between parameters and transitions • E.g., random security token may not be guessed by an attacker • Existing techniques do not determine such a relationship • E.g., Web scanners match param names against list of predefined names (e.g., “token”) 7 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  8. 3) Not all State Transitions are Relevant 1) PageCounter++ GET /product.php?id=201 2) Return product Cookie: session=YBLqp32F Fire a state description transition 200 OK UPDATE pages SET cnt = cnt + 1 WHERE id=201 • Determine the relevance of a state transition • State transitions can be the result of operations such as tracing user activities • They are state-changing operations but not necessarily security-relevant • Easy for humans but hard for machines 8 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  9. Our Solution: Deemon • Application-agnostic framework for developers and analysts 1. Infer state transitions + data flow from program executions 2. Property graphs for uniform and reusable model representation 3. Graph traversals to select request candidates for testing 4. Verify replay-ability of HTTP requests 9 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  10. Deemon: Trace Generation Dynamic Trace Generation A F < , , , , > GET < GET , 200 , GET , 302 > 200 OK A F < , , , , > Login and change password < , > Virtualized Env. 10 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  11. Deemon: Model Construction Traces and Parse Trees FSM Data flow and types next next trans to A < , , , , > F A q 0 →q 1 q 0 q 1 caused caused v 1 = YBLqp32F next next next has Types: String, Session < GET , 200 , GET , 302 > unique GET 200 GET 302 GET / hdrs caused propag. accepts YBLqp32F … next SQL SQL < , > source v 2 = YBLqp32F Types: String, Session UPDATE tbl claus unique id=YBLqp … sink 11 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  12. Deemon: Traversals r GET hdrs url “Find all CSRF” ⇓ password pwd “Find all req equests ts r such that: request(r) 1) r is state-changin ing 2) r can be created by an attacker r 3) the state change is rele elevant ” accept ⇓ trans to “∀n: request(n) q i →q f q i q f 1) ∃ tr, q i , q f : trans(tr, q i , q f ) ∧ accepts( tr, n) ∃ tr, q i , q f : trans(tr, q i , q f ) ∧ accepts(tr, r) 2) ∀ v: variable(v) ∧ has( q f , v) has ∧ v.Types ⋂ {“ unguessable ”} = ∅ v 1 = pwd q f 3) relevant(r)” Types: String ⇓ ∀ v: variable(v) ∧ has(q f , v) ∧ v.Types ⋂ {“ unguessable ”} = ∅ [Query processor] 12 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  13. Deemon: Testing Test Execution Graph Traversals < , , , , > Requests GET 200 OK < , , , , > Queries ? Virtualized Env. Failed Successful 13 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  14. Evaluation • Inputs: • 10 Web apps from the Bitnami catalog (avg 600k LoC ) • 93 workflows (e.g., change password, username, add/delete user/admin, enable/disable plugin) 53 protected (108 tokens) 1,022 not relevant 194 not st-ch • 1,380 requests 1,186 st-ch 164 relevant 111 unprotected 190 failed • 219 tests 29 succ. 14 distinct CSRFs • Attacks: • User account takeover in AbanteCart and OpenCart • Database corruption in Mautic • Web app takeover in Simple Invoices Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017 14

  15. Results Analysis: Awareness 1. Complete Awareness : all state-changing operations are protected • E.g., Horde, Oxid, and Prestashop 2. Unawareness : none of the relevant state-changing operations are protected • I.e., Simple Invoices 3. Partial Awareness • Role-based : only admin is protected • I.e., OpenCart and AbanteCart • Operation-based : adding data items is protected, deleting is not • I.e., Mautic 15 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  16. Takeaways • Presented Deemon: • Dynamic analysis + property graphs • New modeling paradigm • Deemon detected 14 CSRFs that can be exploited to takeover accounts, websites, and compromise database integrity • Discovered alarming behaviors: security-sensitive operations are protected in a selective manner 16 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides
Detecting Topological Changes in Dynamic Delaunay Triangulations Using CUDA GTC 2017 Speaker: Dr.

Detecting Topological Changes in Dynamic Delaunay Triangulations Using CUDA GTC 2017 Speaker: Dr.

Detecting Topological Changes in Dynamic Delaunay Triangulations Using CUDA GTC 2017 Speaker: Dr. Matteo Lulli Prof. M. Bernaschi and Prof. M. Sbragaglia May the 10th, 2017 Comput. Phys. Commun. 213 , 19 (2017) Detecting Topological Changes in

1.09k views • 67 slides
Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF Presentation Vulnerability Advanced Web Technology CSRF allows to access the intranet Protection 10) XSS, CSRF and SQL Injection

559 views • 10 slides
Detecting Clusters and Nonlinearity in 3D Dynamic Graphs John Fox McMaster University Robert

Detecting Clusters and Nonlinearity in 3D Dynamic Graphs John Fox McMaster University Robert

Detecting Clusters and Nonlinearity in 3D Dynamic Graphs John Fox McMaster University Robert Stine University of Pennsylvania Georges Monette and Nehru Vohra York University Interface 2002 Clusters and Nonlinearity in 3D Dynamic Graphs 1

574 views • 10 slides
CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site Request Forgery Definition Example OWASP: Login: csrf.vulnerable.page Cross-Site Request Forgery Set-Cookie:session=1a2b3c; (CSRF) is an attack

721 views • 14 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL Injections This month: XSS / CSRF Next month: DDoS / DoS Meetup Group for times/dates https://www.meetup.com/CLICK_HERE-exe/ Plan of Attack

1.76k views • 58 slides
More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

Software and Web Security 2 More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7 on CSRF) Section 7.2.7 on CSRF) sws2 1 2 Clickjacking &amp; UI redressing sws2 Click jacking &amp; UI

409 views • 29 slides
DETECTING LOCALIZED ROUGHNESS USING DYNAMIC SEGMENTATION By Amin El Gendy &amp; Ahmed Shalaby

DETECTING LOCALIZED ROUGHNESS USING DYNAMIC SEGMENTATION By Amin El Gendy &amp; Ahmed Shalaby

DETECTING LOCALIZED ROUGHNESS USING DYNAMIC SEGMENTATION By Amin El Gendy &amp; Ahmed Shalaby Department of Civil Engineering University of Manitoba The C-LTPP project The C-LTPP Project includes 24 test sites constructed between 1989 and

201 views • 17 slides
XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team Browser PDF / file formats B Shark movies Topics of today XSS Cross Site Scripting XSRF/CSRF Cross Site Request Forgery

893 views • 56 slides
Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application Security Information Systems A different and trickier threat - CSRF Often referred to as sleeping giant of vulnerabilities because

440 views • 16 slides
Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011

Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011

Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Advanced Web Technology 10) XSS, CSRF and SQL Injection 1 Table of Contents Cross Site Request

659 views • 39 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Detecting Data Races in Multi-Threaded Programs Eraser A Dynamic Data-Race Detector for

Detecting Data Races in Multi-Threaded Programs Eraser A Dynamic Data-Race Detector for

Detecting Data Races in Multi-Threaded Programs Eraser A Dynamic Data-Race Detector for Multi-Threaded Programs MultiRace An Efficient On-the-Fly Data-Race Detection Tool for Multi-Threaded C++ Programs John C. Linford Slide 1 / 31 Key

606 views • 31 slides
Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Inno Innovative Materials tive Materials Air Force Research Center for Nondestructive Testin Testing T Tech chnologies, es, I Inc. c. Laboratory Evaluation Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft

308 views • 12 slides
This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

1.77k views • 148 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
Outline The web from a security perspective (contd) SQL injection CSci 5271 Announcements

Outline The web from a security perspective (contd) SQL injection CSci 5271 Announcements

Outline The web from a security perspective (contd) SQL injection CSci 5271 Announcements intermission Introduction to Computer Security Web security, combined slides Web authentication failures Cross-site scripting Stephen McCamant

333 views • 9 slides
Cookie Calculator Repetition Hans-Joachim Bckenhauer and Dennis Komm Digital Medicine I:

Cookie Calculator Repetition Hans-Joachim Bckenhauer and Dennis Komm Digital Medicine I:

Cookie Calculator Repetition Hans-Joachim Bckenhauer and Dennis Komm Digital Medicine I: Introduction to Programming Local variables, scopes, and complexity Autumn 2019 October 31, 2019 Example Cookie Calculator Cookie Calculator

685 views • 13 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.21k views • 60 slides
COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your

COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your

CS 498RK SPRING 2020 COOKIES Ho w ca n ap ps maintai n use r stat e ? Cookie s ! small bits of data downloaded to your computer so that a site can remember you and what you did on subsequent visits Bro w se r Serve r first request

340 views • 23 slides
Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites Takuya

Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites Takuya

Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama, Tatsuya Mori NTT Secure Platform Laboratories, Waseda University, NICT, RIKEN API NDSS Symposium 24 th

768 views • 46 slides
Security ty, P Privacy cy, &amp; &amp; Us User E Expect ectati tion ons: Case Studies in

Security ty, P Privacy cy, &amp; &amp; Us User E Expect ectati tion ons: Case Studies in

Security ty, P Privacy cy, &amp; &amp; Us User E Expect ectati tion ons: Case Studies in Web Tracking and Application Permissions Franzi ziska Roesner er Assistant Professor Computer Science &amp; Engineering University of Washington

710 views • 52 slides
How online tracking works Lorrie Faith Cranor Chief Technologist US Federal Trade

How online tracking works Lorrie Faith Cranor Chief Technologist US Federal Trade

The Future of Advertising &amp; Privacy How online tracking works Lorrie Faith Cranor Chief Technologist US Federal Trade Commission 1 Agenda Types of ads Web tracking with cookies Web tracking beyond cookies Tracking

1.43k views • 118 slides

More recommend