robust defenses for cross site
play

Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta - PowerPoint PPT Presentation

Jan 21, 2024 •541 likes •846 views

Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login CSRF attack? Whats the

  1. Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell

  2. Outline What is CSRF attack? • What is a login CSRF attack? • What’s the existing CSRF defenses? • What’s authors defense proposal? • What’s the vulnerabilities of Session • Initialization?

  3. Outline What is CSRF attack? • What is a login CSRF attack? • What’s the existing CSRF defenses? • What’s authors defense proposal? • What’s the vulnerabilities of Session • Initialization?

  4. What is CSRF attack? Cross-Site Request Forgery (CSRF)  attack A malicious site instructs a victim’s browser to • send a request to an honest site Leveraging the victim’s network connectivity and • browser’s state , such as cookies, to disrupt the integrity of the victim’s session with the honest site

  5. CSRF Defined Attacker take advantage of user   Network Connectivity  Read Browser State  Write Browser State Different attacker types   Forum Poster  Web Attacker  Network Attacker

  6. Cross-Site Request Forgery

  7. Real attack using CSRF Hacked Gmail accounts and injected forwarding mail filter

  8. Outline What is CSRF attack? • What is a login CSRF attack? • What’s the existing CSRF defenses? • What’s authors defense proposal? • What’s the vulnerabilities of Session • Initialization?

  9. Search History  Login CSRF attack Paypal  iGoogle 

  10. Outline What is CSRF attack? • What is a login CSRF attack? • What’s the existing CSRF defenses? • What’s authors defense proposal? • What’s the vulnerabilities of Session • Initialization?

  11. What’s the existing CSRF defenses? • Secret Validation Token used to determine whether the request came from an authorized source. • The Referrer header indicates which URL initiated the request. • Custom HTTP header using XMLHttpRequest

  12. Secret Validation Token - Designs (1/2) Session identifier Use the user’s session identifier as the secret validation token • Disadvantage: Users may share the contents of WebPages that contain • session identifiers to third parties Session-Independent Nonce Server generates a random nonce and store it as a cookie when the user first • visits the site. • Disadvantage: An active network attacker can overwrite the session independent nonce with his own CSRF token value even if HTTPS is present (Cookie Overwriting attack).

  13. Secret Validation Token - Designs (2/2) Session-Dependent Nonce Store state on the server that bind the user’s CSRF token value • to the user’s session identifier . Disadvantage: Site must maintain a large state table in order to • validate the tokens HMAC of Session Identifier Instead of using server-side state, cryptography is used to bind • the CSRF token and the session identifier. • All site servers share the HMAC key and each server can validate that the CSRF token is correctly bound to the session identifier. *HMAC = Hash Message Authentication Code

  14. The Referrer header When the browser issues an HTTP request it includes a Referrer header that indicates which URL initialized the request. Referrer disadvantages: • is usually suppressed due to privacy information leaking. • can be spoofed due to browser bugs. Referrer validation as a CSRF defense • In lenient Referrer validation, the site blocks requests whose Referrer header has an incorrect value. If a request lacks the header, the site accepts the request. • Disadvantage: Referrer is suppressed for request issued from Ftp and data URLs. • In strict Referrer validation, the site blocks requests that lack a Referrer header.

  15. Experiment (1/4)  Design  We used two advertisement networks from 5 April 2008 to 8 April 2008  283.945 advertisement impressions from 163.767 unique IP address  Two servers with two domain names were used to host the advertisement  Advertisement generates a unique id and randomly selects the primary server  GET and POST requests both over HTTP and HTTPS generated by primary server  Requests are generated by submitting forms, requesting images, and issuing XMLHttpRequests  Same-domain requests to the primary server and cross-domain requests to the secondary server were generated by the advertisement  Servers logged request parameters ( Sids, Referer, User-Agent, document.referrer, etc)  Did not log the client’s IP address, instead logged the HMAC of client’s IP address

  16. Experiment (2/4) Results  Discussion   The Referrer header is suppressed more often for cross domain requests over http.  The Referrer header is suppressed more often for HTTP requests than for HTTPS requests

  17. Experiment (3/4)  Browsers that suppress the Referrer header also suppress the document. referrer value  PlayStation 3 browser does not support document. referrer  Opera blocks cross-site document. referrer for HTTPS  Bug in Firefox 1.0 and 1.5 do not send referrer for HTML HTTP request

  18. Experiment (4/4) Conclusion: Strict Referrer can be used as CSRF defense for HTTPS • HTTP: cannot afford blocking requests that lack Referrer header • cease to be compatible with 3-11% of users • Strict Referrer validation suited for login CSRF defense because they • are issued over HTTPS 0.05-0.22% of browsers suppress the header over https •

  19. Custom HTTP Headers Browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest. To use custom headers as a CSRF defense a site must Issue all state-modifying requests using • XMLHTTPRequest • Attach a custom header (e.g. X-Requested-By) Reject all state-modifying requests that are not • accompanied with the header

  20. Outline What is CSRF attack? • What is a login CSRF attack? • What’s the existing CSRF defenses? • What’s authors defense proposal? • What’s the vulnerabilities of Session • Initialization?

  21. Proposal: Origin header  Privacy  Origin header improves on a Referer header  Origin header includes only the information required to identify the principal that initiated the request (port, host, scheme)  Origin header doesn’t contain the path or query portions of the URL  Origin header is sent only for POST requests  Referer header is sent for all requests  Server Behavior  All state-modifying requests, including login requests, must be sent using the POST method  Server must reject any requests whose Origin header contains an undesired value (indicated from another site/ attacker) or null

  22. Proposal: Origin header  Security Analysis  Rollback and Suppression: A supporting browser will always include the Origin header when making POST requests, sites can detect that a request was initiated by a supporting browser by observing the presence of the header  DNS Rebinding: Sites that rely only on network connectivity for authentication, could complementary validate the Host header. It applies to all CSRF defenses.  Plug-ins: If a site opts into cross-site HTTP requests an attacker can use Flash Player to set the Origin header in cross-site requests. Sites should not opt into cross-site HTTP requests from untrusted origins.

  23. Proposal: Origin header  Adoption  Origin Header improves and unifies other proposals and has been adopted by several working groups.  Implementation  Browser side: WebKit, Safari, Firefox  Server side: ModSecurity, Apache

  24. Outline What is CSRF attack? • What is a login CSRF attack? • What’s the existing CSRF defenses? • What’s authors defense proposal? • What’s the vulnerabilities of Session • Initialization?

  25. Session Initialization  Login CSRF is an example of vulnerability in session initialization  Authenticated as User  The attacker can force the site to use a predictable session identifier for a new session. Then user supplies their authentication credentials to the honest site (predictable session identifier)  Authenticated as Attacker  Attacker cause the honest site to begin a new session with the user’s browser but force the session to be associated with the attacker’s authorization (e.g. Login CSRF, PayPal)  Two common approaches to achive an attack on session initialization  HTTP Requests and Cookie Overwriting

  26. HTTP Requests (1/2)  OpenID: includes a self-signed nonce to protect against reply attacks but doesn’t suggest a mechanism to bind the OpenID session to the user’s browser  1. Web attacker visits the Relying Party (Blogger) and begins the authentication process with the Identity Provider (Yahoo!)  2. Identity Provider redirects the attacker’s browser to the “return to” URL of the Relying Party  3. attacker directs the user’s browser to the return to URL  4. The Relying Party completes the OpenID protocol and stores a session cookie in the user’s browser  5. The user is now logged in as the attacker Defense: relying party should generate a fresh nonce at the start of the protocol, stored in user’s browser.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Prateek Saxena Dawn Song Illinois Institute UC Berkeley UC Berkeley Of Technology 1 A Cross-Site Scripting Attack Hi Joe, <img src=>

569 views • 42 slides
Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell ,

Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell ,

Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell , Robust Defenses for Cross - Site Request Forgery, pub. in 15th ACM Conference, 2008. [2] L. Huang and A. Moshchuk and H. Wang , Clickjacking:

828 views • 57 slides
LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious Hacking Attempts Cross Site

LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious Hacking Attempts Cross Site

LECTURE 23: MORE SECURITY CSE 442 Software Engineering Serious Hacking Attempts Cross Site Request Forgery Cross-Site Requests Same-site request if local page makes HTTP request Request sent to other site called cross-site request

750 views • 62 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security Web security, part 2 Announcements intermission Stephen McCamant Confidentiality and privacy University of Minnesota, Computer Science &

892 views • 6 slides
Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks Introduction to Computer Security Confidentiality and privacy Day 19: Web security, part 2 Stephen McCamant Even more web risks University of

386 views • 11 slides
Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer Security Announcements intermission Web security and crypto failure combined Confidentiality and privacy lecture Even more web risks Stephen

435 views • 10 slides
Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and

Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and

Presenting a live 90 minute webinar with interactive Q&A Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and Contemporaneous Exchange Managing the Audit Process, Mitigating Regulatory Sanctions, and

893 views • 52 slides
Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected XSS Persistent XSS Damage done by XSS attacks XSS attacks to befriend with others XSS attacks to change other peoples

3.65k views • 37 slides
A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides
Cross-site research and synthesis in the LTER network examples PIE Chuck Hopkinson PIE

Cross-site research and synthesis in the LTER network examples PIE Chuck Hopkinson PIE

Cross-site research and synthesis in the LTER network examples PIE Chuck Hopkinson PIE and GCE LTERs The LTER network of sites is ideal for conducting cross-site observations from across a range of environmental conditions. VCR

636 views • 14 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Ste ff ens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions of Cross-Site Scripting Server Client

413 views • 14 slides
CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site Request Forgery Definition Example OWASP: Login: csrf.vulnerable.page Cross-Site Request Forgery Set-Cookie:session=1a2b3c; (CSRF) is an attack

721 views • 14 slides
Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Kristin Cross Director Satellite Architects I work with developers and investors to help them gain

Kristin Cross Director Satellite Architects I work with developers and investors to help them gain

Kristin Cross Director Satellite Architects I work with developers and investors to help them gain planning and add value to their projects. Infill site Some of the more obvious sites developers bring us. Roof top site Back infill site

500 views • 30 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Apache Traffic Server & Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale

Apache Traffic Server & Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale

Apache Traffic Server & Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale Details Security Future 11/16/2014 2 Apache Traffic Server Fast, scalable and extensible HTTP/1.1 compliant caching proxy server

1.52k views • 45 slides
DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz

DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz

DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz Kaleli Manuel Egele Gianluca Stringhini bkaleli@bu.edu megele@bu.edu gian@bu.edu Online Collaboration Services (OCSs)

636 views • 46 slides
How to Write a Project Proposal What is the problem you are addressing? What is the context?

How to Write a Project Proposal What is the problem you are addressing? What is the context?

How to Write a Project Proposal What is the problem you are addressing? What is the context? What is your approach? How will you evaluate your approach? Based on your results what future directions will be possible? What is the timeline of

273 views • 3 slides
PRIVACYSCORE.ORG Investiatni security and privacy propertes of reaated Web sites Tobias Mueaaer

PRIVACYSCORE.ORG Investiatni security and privacy propertes of reaated Web sites Tobias Mueaaer

PRIVACYSCORE.ORG Investiatni security and privacy propertes of reaated Web sites Tobias Mueaaer Universitt Hamburg with Pascal Wichmann (Uni Hamburg) Max Maa (TU Darmstadt) Henning Pridhl (Uni Bamberg) und Dominik Herrmann (Uni Bamberg)

352 views • 24 slides
whoami Name: Pepe Vila ( @cgvwzq ) Location: Spain Work: - before: pentester at EY - current:

whoami Name: Pepe Vila ( @cgvwzq ) Location: Spain Work: - before: pentester at EY - current:

A XSSmas carol by pepe vila whoami Name: Pepe Vila ( @cgvwzq ) Location: Spain Work: - before: pentester at EY - current: PhD student at IMDEA Software Interests: - try to understand browsers, XSS challenges , CTFs, computationalism, space

481 views • 36 slides
JavaScript Security & HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security & HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31,

JavaScript Security & HTML5 ( a n d P r i v a c y ) Mike Shema RVAsec May 31, 2013 Weve Been Here Before A Definition Ja va Script | jv skript | invective . 1 A vendor-neutral, cross-platform liability for

583 views • 42 slides
HIPSTER BINGO - OR HOW TO USE DOCKER/KUBERNETES/CRI-O TO DEPLOY LIBREOFFICE ONLINE WITH STYLE

HIPSTER BINGO - OR HOW TO USE DOCKER/KUBERNETES/CRI-O TO DEPLOY LIBREOFFICE ONLINE WITH STYLE

HIPSTER BINGO - OR HOW TO USE DOCKER/KUBERNETES/CRI-O TO DEPLOY LIBREOFFICE ONLINE WITH STYLE CIB SOFTWARE GMBH LIBREOFFICE CONFERENCE ROME OCTOBER 11TH, 2017 I HAVE 30 MINUTES TO SETUP LOOL The problem? > multiple server instances

215 views • 17 slides

More recommend