Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. - - PowerPoint PPT Presentation
Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell , Robust Defenses for Cross - Site Request Forgery, pub. in 15th ACM Conference, 2008. [2] L. Huang and A. Moshchuk and H. Wang , Clickjacking:
Course: EPL 682 Name: Savvas Savva
[1] A. Barth and C. Jackson and J. Mitchell , “Robust Defenses for Cross-Site Request Forgery”, pub. in 15th ACM Conference, 2008. [2] L. Huang and A. Moshchuk and H. Wang , “Clickjacking: Attacks and Defenses”, pub. in USENIX Security Symposium, 2012.
Course: EPL 682 Name: Savvas Savva
This presentation is based on: [1] A. Barth and C. Jackson and J. Mitchell , “Robust Defenses for Cross-Site Request Forgery”, pub. in 15th ACM Conference, 2008.
CSRF = Cross-Site Request Forgery:
honest site.
○ Leveraging Network Connectivity. ○ Leveraging Browser state. ○ Disrupts integrity of the victim session with a honest site. ○ In login CSRF attack, an attacker uses the victim’s browser to forge a cross-site request to the honest site’s login URL, supplying the attacker’s username and password.
○ A good explanation of the CSRF threat model. ○ A study of current browser behavior. ○ A proposal for an Origin header containing the information necessary for CSRF defense. ○ A study of related session initialization vulnerabilities.
○ Forum Poster. ○ Web Attacker. ○ Network Attacker.
Attack A: Login CSRF Attack
Another CSRF Attack Detailed
○ Validating using this secret token. ○ Fraught with pitfalls. ○ A Popular technique.
○ Simple technique. ○ Referer header can be suppressed.
○ Ajax interface. ○ Requires sites to valid all state-modifying requests.
April 2008.
issuing XMLHttpRequests.
to the secondary server.
session identifier, document.referer .
address.
<script> document.write(unescape("%3Cscript src='" + (document.location.protocol == "https:" ? "https://sb" : "http://b") + ".scorecardresearch.com/beacon.js' %3E%3C/script%3E")); </script> <noscript> <img src="http://b.scorecardresearch.com/p?c1=2&c2=8027488&c3=&c4=&c5=&c6=&c15=&cj=1" /> </noscript>
HTTPS requests.
document.referrer value.
value is not suppressed.
○ PlayStation 3 browser does not support ○ Opera suppresses for cross-site HTTPS request ○ Bug in Firefox 1.0 and 1.5
○ HTTP: percentage (3-11%) of users ○ HTTPS: percentage (0.05-0.22%) of users ○ Site must reject requests that omit the Referer header
○ Must address privacy concerns in order to effective in large-scale deployments
Origin Header:
○ Includes only the information required to identify the principal that initiated the request. ○ Sent only for POST requests.
○ All state-modifying requests, including login requests, must be sent using the POST method. ○ Server must reject any requests whose Origin header contains an undesired value.
Origin Header:
○ Rollback and Suppression, DNS Rebinding ,Plug-ins
○ Improves and unifies four other proposals and has been adopted by several working groups
○ Browser side: WebKit, Safari, Firefox ○ Server side: ModSecurity, Apache
○ Cross-Site XMLHttpRequest: The proposed standard for cross-site XMLHttpRequest included a Access-Control-Origin header to identify the origin issuing the request. ○ XDomainRequest: The XDomainRequest API in Internet Explorer 8 Beta 1 sends cross-site HTTP requests that omit the path and query from the Referer header.
○ JSONRequest: The JSONRequest API for crosssite HTTP requests included a Domain header that identifies the host name of the requester. ○ Cross-Document Messaging: The HTML 5 specification proposes a new browser API for authenticated client-side communication between HTML documents
○ Predictable session identifier
○ Login CSRF
○ HTTP Requests and Cookie Overwriting
authentication process with the Identity Provider (Yahoo!)
URL of the Relying Party
session cookie in the user’s browser
displayed in the attacker’s location bar.
now logged in as the attacker.
connection to the same host name as the site and install either a Secure
web apps”
○ Strips implicit authorization information from outgoing cross-site HTTP requests ○ Breaks existing web site functionality
○ Attacker can manually solve CAPTCHAs ○ Attacker can address captchas to be solved online from captcha solvers.
○ Strict Referer validation
○ Images, hyperlinks should use a framework that implements secret token validation correctly
○ Eliminating the privacy concerns ○ HTTPS and non-HTTPS requests both work
Course: EPL 682 Name: Savvas Savva
This presentation is based on: [2] L. Huang and A. Moshchuk and H. Wang , “Clickjacking: Attacks and Defenses”, pub. in USENIX Security Symposium, 2012.
○ The user is tricked to click on something he didn’t intend to click on.
○ This is proven in this paper with three new attack variants from existing clickjacking techniques. ○ Clickjacking attacks can cause severe damages. ○ Better results and more effective than Social engineering.
○ The paper user study demonstrates its effectiveness.
Simple definition: The user is tricked to click on something he didn’t intend to click on. An attacker application presents a sensitive UI Element of a target application
transparent ect). Some examples:
(Transparently overlaying on top of a safe UI element)
applications sharing the same display.
compromises context integrity of another application’s UI when the user acts on the UI.
Hiding the target Element - Likejacking Example
Claim Your Free iPad Pro
Temporal integrity ,
for some noticeable amount of time transform to facebook page like button
C B A
Cursorjacking is not Performed. Could be done Using CSS cursor property. Also, can perform strokejacking attack for fake blink in keyboard typing cursor and fake text input. The same appears in twitter tweet button to create the TweetBomb attack.
Video link : https://www.youtube.com/watch?v=zbbYBKDUPDU, From Daniel Correa . All rights to him.
Use opacity 0 in css or attribute hidden.
For example in the older trusted paypal checkout iFrame.
Crop elements in other visa checkout payments or the old paypal iFrame and leave only a pay button.
○ Degrades user experience.
○ Unreliable (e.g. multi-click attacks).
○ Incompatible with embedding 3rd-party objects.
○ Breaks legitimate sites.
○ False positives.
○ Annoying to user.
None of current defenses consider pointer (Photo from Lifehacker)
– Cost was 25 cents per user. – Users can only participate once, and only for one Treatment. – The user study on Amazon Mechanical Turk shows that people fall for these attacks with success rate 43% to 98%.
Attack technique: cursor-spoofing Attack success: 43% (31/72)
Attack technique: pop-up window Attack success: 47% (43/90)
Attack technique: cursor-spoofing + fast-paced clicking Attack success: 98% (83/84)
Design Goals:
browsers enforce the context integrity of user actions on the sensitive UI Elements.
for user actions.
– Let websites indicate their sensitive UIs. – Let browsers enforce context integrity when users act on the sensitive UIs.
– processing delay on click < 30ms (prototype on IE 9)
– Attack success: 43% -> 16%
– Attack success: 43% -> 15% – Attack success (margin=10px): 12% – Attack success (margin=20px): 4% (baseline:5%) (GOOD)
+ lightbox): 2%
Attack technique: cursor-spoofing Attack success: 43% (31/72)
target or pointer, invalidate clicks for some ms
changes on target, invalidate clicks until pointer re-enters target
pointer, invalidate clicks for some ms – Attack success (delay=250ms): 47% -> 2% (2/91) – Attack success (delay=500ms): 1% (1/89)
after visual changes on target, invalidate clicks until pointer re-enters target – Attack success: 0% (0/88)
Attack technique: pop-up window Attack success: 47% (43/90)
many seconds, and deliberating whether or not to click.
– Screen freezing, margin=20px: 98% -> 16% – Screen freezing, margin=20px, pointer entry delay=500ms: 4% – Screen freezing, margin=20px, pointer entry delay=1000ms: 1%
– 63% users intentionally clicked on Like button after the proposed defenses made them fully aware of this.
Attack technique: cursor-spoofing + fast-paced clicking Attack success: 98% (83/84)
defenses.
rates 43% to 98%).
clickjacking.