OWASP Khartoumowasp.org/index.php/Khartoum

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

7TH Meeting Univers i ty o f Bahr i

TOP 10#A5 Cross Site Request Forgery

Obay OsmanOWASP Khartoum

15 Sept 2012

ToC• Definition.

• OWASP Rating.

• Attack Scenarios.

• CSRF in the wiled.

• Demo time.

• Detection

• Protection.

• Summery & Discussion.2

DefinitionA CSRF attack is forcing a logged-on

victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application.

Synonyms: XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking, One-Click (Microsoft).

3

OWASP Risk Rating #

4

5

Attack Scenarios

http://bank.com/app/transferFunds?amount=1500&destinationAccount=4673243243

<img src= "http://bank.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#“ width="0" height="0" />

User:

Attacker:

6

#1

7

#2

It is Demo Time..

9

Let us break something…

In the wield..- Firewall web management.

- Stored CSRF flaws.(Self-vulnerable applications)

- Sammy Worm.

Methodologies: XSS, Social Engineering….

10

11

DetectionCode Review:

• see if each link and form contains an unpredictable token for each user.

• focus on state-changing functions.

• check multistep transactions.

PenTesting:

• Manual Testing.

• OWASP’s CSRF Tester tool.

Protection[Developers]

• Check referrer, Really help?!(open redirect/HTTPS/subdomains)

• Double Submit Cookies.

• Challenge-Response. (CAPTCHA/Re-Authentication)

• Put unique token in the URL/URL parameter.

• Include the unique token (per request/session) in a hidden field.

12

No XSS & Share a ‘Secret’ With The User.

13

Protection[Tokens]

Good Tokens:

Nonce:

One-time cryptographically random token that is returned to the client per request.

HMAC:

#(PageUrl+Session/userID+Timestamp)

(eg In .net encrypted ‘ViewState’)

14

Protection [Defense in depth]

Do not use GET parameters.

Do not put the secret in the URL/Cookies.(log/history/referer exposure,!)

Send successful logins to a well-known location instead of automatic redirection.(Top10 A10)

Do not resubmit POST parameters if you need to perform redirection.

15

Protection [Users]

Logoff immediately after using a web application

Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login

Do not use the same browser to access sensitive applications and to surf freely the Internet.

Be careful when clicking untrusted Links.

OWASP’s Tools

OWASP’s CSRF Guard can be used to automatically include such tokens in your Java EE, .NET, or PHP application.

OWASP’s ESAPI token generators and validators.

+ OWASP’s CSRF Tester.

16

Summary & Conclusion

A1 –InjectionA2 –Cross-Site Scripting (XSS)A3 –Broken Authentication and Session ManagementA4 –Insecure Direct Object ReferenceA5 –Cross Site Request Forgery (CSRF)A6 –Security Misconfiguration(NEW)A7 –Insecure Cryptographic StorageA8 –Failure to Restrict URL AccessA9 –Insufficient Transport Layer ProtectionA10 –Unvalidated Redirects and Forwards (NEW)

OWASP Top 10 2010:

Ref.• https://www.owasp.org/index.php/CSRF

• https://www.owasp.org/index.php/Testing_for_CSRF_%28OWASP-SM-005%29

• https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

• http://cwe.mitre.org/data/definitions/352.html

• https://www.trustwave.com/sae_sample/owasp-top-10/CourseFiles/Player.htm

Q & A

20