cross site request forgery vulnerabilities
TRANSCRIPT
Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
Cross Site Request Forgery Deep Dive In
Cincinnati Chapter MeetingMay 27th , [email protected]
2OWASP
Agenda
1. TBD2. OWASP Publications3. OWASP Tools Demo By Blaine Wilson4. OWASP Cincinnati Local Chapter5. Final Questions
3OWASP
Place of CSRF in the OWASP Top 10 2007
1. Cross Site Scripting (XSS)2. Injection Flaws3. Insecure Remote File Include4. Insecure Direct Object Reference5. Cross Site Request Forgery (CSRF)6. Information Leakage and Improper Error Handling7. Broken Authentication and Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure to Restrict URL Access
http://www.owasp.org/index.php/Top_10
4OWASP
Description of CSRF threat and the impact
CSRF forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
An attacker may force the users of a web application to execute actions of the attackers choosing via social engineering
5OWASP
CSRF Causes
The way CSRF is accomplished relies on the following facts:1) Web browser behavior regarding the handling of session-related information such as cookies and http authentication information;2) Knowledge of valid web application URLs on the side of the attacker;3) Application session management relying only on information which is known by the browser;4) Existence of HTML tags whose presence cause immediate access to an http[s] resource; for example the image tag img.
6OWASP
Threat Scenario
7OWASP
CSRF is a Same Origin Exploit
The GET request could be originated in several different ways:
1. by the user, who is using the actual web application;
2. by the user, who types the URL it directly in the browser;
3. by the user, who follows a link (external to the application) pointing to the URL.
8OWASP
CSRF attack vectors
9OWASP
Example: Webgoat/?
10OWASP
CSRF Countermeasures: Client/User
Some mitigating actions are: 1. Logoff immediately after using a web application 2. Do not allow your browser to save
username/passwords, and do not allow sites to “remember” your login
3. Do not use the same browser to access sensitive applications and to surf freely the Internet; if you have to do both things at the same machine, do them with separate browsers.
4. Integrated HTML-enabled mail/browser, newsreader/browser environments pose additional risks since simply viewing a mail message or a news message might lead to the execution of an attack.
11OWASP
CSRF Countermeasures: Developers
Add session-related information to the URL Use POST instead of GET Automatic logout mechanisms Rely on Referer headers
12OWASP
Black Box testing and example
1. Llet u the URL being tested; for example, u = http://www.example.com/action
2. build a html page containing the http request referencing url u (specifying all relevant parameters; in case of http GET this is straightforward, while to a POST request you need to resort to some Javascript);
3. make sure that the valid user is logged on the application;
4. induce him into following the link pointing to the to-be-tested URL (social engineering involved if you cannot impersonate the user yourself);
5. observe the result, i.e. check if the web server executed the request.
13OWASP
Gray Box testing and example
Audit the application to ascertain if its session management is vulnerable.
Check If session management relies only on client side values
14OWASP
Tools
15OWASP
Difference Between XSS and CSRF