Table of Contents Berner Fachhochschule, Technik und Informatik - PowerPoint PPT Presentation

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF � Presentation Vulnerability Advanced Web Technology CSRF allows to access the intranet Protection 10) XSS, CSRF and SQL Injection Conclusion Injection Flows � Presentation Dr. E. Benoist Vulnerability Protection Fall Semester 2010/2011 Examples Conclusion Advanced Web Technology 10) XSS, CSRF and SQL Injection Advanced Web Technology 10) XSS, CSRF and SQL Injection 1 2 Cross Site Request Forgery Sending a request without the consent of the victim? ◮ Insert an image in a HTML file < img src=”http://www.benoist.ch/image/test.gif” > ◮ Not a new attack, but simple and devastating ◮ CSRF attack forces a logged-on victim’s browser to send Browser: Downloads an image a request to a vulnerable web application GET /image/test.gif HTTP/1.1 ◮ Target: Perform the chosen action on behalf of the ... victim ◮ An image can be generated by a PHP program (or any program) < img src=”http://www.benoist.ch/image/test.php” > Browser: Downloads an image Advanced Web Technology 10) XSS, CSRF and SQL Injection Advanced Web Technology 10) XSS, CSRF and SQL Injection Cross Site Request Forgery - CSRF Cross Site Request Forgery - CSRF: Presentation 3 4

Sending a request? (Cont.) Very widespread vulnerability Touches any web application that ◮ has no authorization checks for vulnerable actions ◮ An image can be generated according to some ◮ will process an action if a default login is able to be parameters given in the request < img src=”/barcode.php?number=12345678901” > < img src=”http://www.benoist.ch/doSomething?user=admin& ց Browser: Downloads an image → pwd=123” > ◮ An image tag can contain something else ◮ Authorizes requests based only on credentials that are < img src=”http://www.benoist.ch/index.php?action= ց automatically submitted → logout” > • cookies if currently logged into the application • or “Remember me” functionality if not logged into the Browser ????? application • or a Kerberos token if part of an Intranet participating in integrated logon with Active Directory. Advanced Web Technology 10) XSS, CSRF and SQL Injection Advanced Web Technology 10) XSS, CSRF and SQL Injection Cross Site Request Forgery - CSRF: Presentation Cross Site Request Forgery - CSRF: Presentation 5 6 State of the art Vulnerability ◮ A typical CSRF attack directs the user to invoke some function ◮ Most of web applications rely solely on automatically • for instance application’s logout page submitted credentials ◮ The following tag can be inserted in any page viewed by • cookies the victim • basic authentication credentials < img src=”http://www.benoist.ch/logout.php” > • source IP addresses • SSL certificates it generates the same request as clicking on a link containing • or windows domain credentials this address! ◮ Vulnerability also known as ◮ Example: Online banking transfer • Session Riding, One-Click Attacks, Cross Site Reference < img src=”http://www.mybank.de/transfer.do? Forgery, Hostile Linking, and Automation Attack frmAcct=document.form.frmAcct&toAcct=4567890&amt ց • Acronym XSRF is also used together with CSRF → =3434.43” > Could transfer the money from the account of the user, to a given account. Advanced Web Technology 10) XSS, CSRF and SQL Injection Advanced Web Technology 10) XSS, CSRF and SQL Injection Cross Site Request Forgery - CSRF: Presentation Cross Site Request Forgery - CSRF: Vulnerability 7 8

Vulnerability (Cont.) How such a link could reach a victim ◮ Jeremiah Grossman 1 Succeeded in making changes in victims DSL routers ◮ Even if the user doesn’t know that he can configure his ◮ Web-site Owner embedded JavaScript malware router ;-) ◮ Web page defaced with embedded JavaScript malware ◮ He used the router’s default account name to perform his attack Example ◮ JavaScript Malware injected into a public area of a website. (persistent XSS) < img src=”http://admin:password@192.168.1.1/” > ◮ Clicked on, a specially-crafted link causing the website Then you just have to reconfigure the system to echo JavaScript malware. (non-persistent XSS) < img src=”http://192.168.1.1/changeDNS?newDNS ց → =143.23.45.1” > ◮ Once DNS changed, user will never be able to access a site securely! 1 Talk in Blackhat 2006 : “Hacking Intranet Sites from the outside” Advanced Web Technology 10) XSS, CSRF and SQL Injection Advanced Web Technology 10) XSS, CSRF and SQL Injection Cross Site Request Forgery - CSRF: Vulnerability Cross Site Request Forgery - CSRF: Vulnerability 9 10 CSRF allows to access the intranet Internet is protected, but Intranet? You would never dare doing this on Internet! But what about Intranet? ◮ Leaving hosts unpatched ◮ The attacker sends requests from inside the Intranet • Servers are always patched regularly, but local PC’s? • Doesn’t have to go throw the firewall, the victim is already ◮ Using default passwords ◮ CSRF combined with javascript allows to send many requests sequentially • What the use of changing the password, the IP address can • javascript adds an image in the DOM (possibly invisible). only be reached from inside my network • when the request is sent, another image is added • 192.168.x.y • and so on ◮ Do not putting a firewall in front of a host ◮ Everything seams OK because the perimeter firewalls black external access • So CSRF attacks can be very fruitful Advanced Web Technology 10) XSS, CSRF and SQL Injection Advanced Web Technology 10) XSS, CSRF and SQL Injection Cross Site Request Forgery - CSRF: CSRF allows to access the intranet Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 11 12

Why do CSRF attacks work? CSRF and XSS ◮ Combine CSRF and XSS • The tag is already posted inside the vulnerable application ◮ User authorization credential is automatically included in ◮ Risk is increased by that combination any request by the browse • Typical: Session Cookie • Probability to find a logged in user is higher ◮ The Attacker doesn’t need to supply that credential ◮ CSRF does not require XSS • It belongs to the victim’s browser • One can attack a site from another one ◮ Success of CSRF belongs on the probability that the ◮ Any application with XSS flaws is susceptible to CSRF victim is logged in the attacked system • CSRF attacks can exploit the XSS flaw to steal any • Idea: attack the site the victim visits non-automatically submitted credential • Mean : XSS ◮ When building defenses against CSRF attacks, you must eliminate XSS vulnerabilities Advanced Web Technology 10) XSS, CSRF and SQL Injection Advanced Web Technology 10) XSS, CSRF and SQL Injection Cross Site Request Forgery - CSRF: CSRF allows to access the intranet Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 13 14 Protection Strategies ◮ Ensure that there are no XSS vulnerabilities in your application • Otherwise, any protection is useless, since javascript could ◮ Application must ensure that they are not only relying access the hidden data. on credentials or tokens that are automatically ◮ Insert custom random tokens into every form and URL submitted by browsers • It will not be automatically submitted by the browser • Session Cookies • Example: • Certificates • Remember me < form action=”/transfer.do” method=”POST” > • . . . < input type=”hidden” name=”383838” value=” ց ◮ Application should use a custom token that the browser → 1234323433” > ... will not “Remember” < /form > • So it can not be included in the Requests sent automatically • Then you have to verify that token • Token can be unique for a session or even for each page • The more focused the token is, the higher the security is, but the application is then much more complicated to write Advanced Web Technology 10) XSS, CSRF and SQL Injection Advanced Web Technology 10) XSS, CSRF and SQL Injection Cross Site Request Forgery - CSRF: Protection Cross Site Request Forgery - CSRF: Protection 15 16