Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASP

http://www.owasp.org

Cross Site Request Forgery Deep Dive In

Cincinnati Chapter MeetingMay 27th , 2008Marco.Morana@OWASP.ORG

2OWASP

Agenda

1. TBD2. OWASP Publications3. OWASP Tools Demo By Blaine Wilson4. OWASP Cincinnati Local Chapter5. Final Questions

3OWASP

Place of CSRF in the OWASP Top 10 2007

1. Cross Site Scripting (XSS)2. Injection Flaws3. Insecure Remote File Include4. Insecure Direct Object Reference5. Cross Site Request Forgery (CSRF)6. Information Leakage and Improper Error Handling7. Broken Authentication and Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure to Restrict URL Access

http://www.owasp.org/index.php/Top_10

4OWASP

Description of CSRF threat and the impact

CSRF forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.

An attacker may force the users of a web application to execute actions of the attackers choosing via social engineering

5OWASP

CSRF Causes

The way CSRF is accomplished relies on the following facts:1) Web browser behavior regarding the handling of session-related information such as cookies and http authentication information;2) Knowledge of valid web application URLs on the side of the attacker;3) Application session management relying only on information which is known by the browser;4) Existence of HTML tags whose presence cause immediate access to an http[s] resource; for example the image tag img.

6OWASP

Threat Scenario

7OWASP

CSRF is a Same Origin Exploit

The GET request could be originated in several different ways:

1. by the user, who is using the actual web application;

2. by the user, who types the URL it directly in the browser;

3. by the user, who follows a link (external to the application) pointing to the URL.

8OWASP

CSRF attack vectors

9OWASP

Example: Webgoat/?

10OWASP

CSRF Countermeasures: Client/User

Some mitigating actions are: 1. Logoff immediately after using a web application 2. Do not allow your browser to save

username/passwords, and do not allow sites to “remember” your login

3. Do not use the same browser to access sensitive applications and to surf freely the Internet; if you have to do both things at the same machine, do them with separate browsers.

4. Integrated HTML-enabled mail/browser, newsreader/browser environments pose additional risks since simply viewing a mail message or a news message might lead to the execution of an attack.

11OWASP

CSRF Countermeasures: Developers

Add session-related information to the URL Use POST instead of GET Automatic logout mechanisms Rely on Referer headers

12OWASP

Black Box testing and example

1. Llet u the URL being tested; for example, u = http://www.example.com/action

2. build a html page containing the http request referencing url u (specifying all relevant parameters; in case of http GET this is straightforward, while to a POST request you need to resort to some Javascript);

3. make sure that the valid user is logged on the application;

4. induce him into following the link pointing to the to-be-tested URL (social engineering involved if you cannot impersonate the user yourself);

5. observe the result, i.e. check if the web server executed the request.

13OWASP

Gray Box testing and example

Audit the application to ascertain if its session management is vulnerable.

Check If session management relies only on client side values

14OWASP

Tools

15OWASP

Difference Between XSS and CSRF