cross site request forgery problem summary scott malabarba, ibm
Post on 09-Jan-2016
28 Views
Preview:
DESCRIPTION
TRANSCRIPT
© 2011 IBM Corporation
Ind u stry S olution s
Cross Site Request Forgery Problem SummaryScott Malabarba, IBM
2 © 2011 IBM Corporation
Ind u stry S olution s
What is CSRF/cross site request forgery?
• Malicious browser script exploits user's authenticated session to access target application
Modify or destroy data with form POST
Read confidential data. Browsers restrict but do not entirely prevent cross-site GET.
• Other “flavors” such as login CSRF are less applicable to CMIS
• (Very) basic demo...
3 © 2011 IBM Corporation
Ind u stry S olution s
I'm authenticated on the target server
4 © 2011 IBM Corporation
Ind u stry S olution s
Basic cross-domain form POSTto target application
Different origin server
5 © 2011 IBM Corporation
Ind u stry S olution s
Response with secret token check OFF:form endpoint is unprotected
6 © 2011 IBM Corporation
Ind u stry S olution s
CSRF Defenses
• Some common defenses are not feasible in browser binding
e.g. requiring a custom header on form posts
• Secret token: with each POST/GET, client must submit a token that is known only to the client and server
Can be cryptographically signed and include specific information such as target URL and session ID
7 © 2011 IBM Corporation
Ind u stry S olution s
Response with secret token check ON
8 © 2011 IBM Corporation
Ind u stry S olution s
How to transfer the token securely?
• Some common methods do not apply in CMIS use case
e.g. server inserts token directly into generated form HTML
• Too easy to work around browser restriction on cross-site GET
• Option 1: Can safely return token from an authentication call
Client can store token in, e.g., a cookie
Problematic when SSO is enabled or CMIS repo delegates authentication to a container
• Option 2: IFRAME postMessage() technique
top related