Securing Against Cross-Site Request Forgery in a Way You Wont Regret Later JavaOne 2014 Aaron Hurst.

Download Securing Against Cross-Site Request Forgery in a Way You Wont Regret Later JavaOne 2014 Aaron Hurst.

Post on 21-Dec-2015

212 views

Category:

Documents

0 download

TRANSCRIPT

  • Slide 1
  • Securing Against Cross-Site Request Forgery in a Way You Wont Regret Later JavaOne 2014 Aaron Hurst
  • Slide 2
  • Goals Understand an attack Protection schemes: what works and why Implementation for Java web-apps Future-proofing your protection How vulnerabilities still arise 2
  • Slide 3
  • Whats my experience here? Coverity is the leader in development testing We report OWASP top 10 vulnerabilities CSRF, XSS, Injection, Sensitive Data Exposure... Principal Engineer for Java web-app security I spend a lot of time looking at Java security vulnerabilities! 3
  • Slide 4
  • Anatomy of an Attack 4
  • Slide 5
  • Introduction Cross-site Request Forgery? (CSRF or sea-surf) attacker to trick a client into making an unintentional request to the web server... (MITRE CWE) Less well understood than other attacks 5
  • Slide 6
  • ahurst Example Attack 6 Browser Cookie Store Browser Cookie Store HTTP/1.1 200 OK Set-Cookie: session=2A7B2F293DC HTTP response:
  • Slide 7
  • Example GET Attack 7 GET /transfer?acct=12345&amount=1000 HTTP/1.1 Cookie: session=2A7B2F293DC HTTP request: Attacker has embedded HTML : No visible rendering Attacker has embedded HTML : No visible rendering Browser Cookie Store Browser Cookie Store
  • Slide 8 document.badform.sub"> document.badform.submit(); No visible rendering Attacker has embedded HTML: document.badform.sub" title="Example POST Attack 8 Attacker has embedded HTML:
  • Example POST Attack 8 Attacker has embedded HTML: document.badform.submit(); No visible rendering
  • Slide 9
  • Launching the attack Any site: 1. Administrated by attacker 2. Allows HTML posting 3. With cross-site scripting (XSS) vulnerabilities Finding the victim Observed an interesting server request Fed malicious links to users Social media Sites with related content Scatter-shot Attack Vectors 9
  • Slide 10
  • CSRF in the Wild 10 Sept. 2014 Oct. 2011 Sept. 2014
  • Slide 11
  • Coverity Security Advisor Stats 11 Open Source Java Web-apps, All Detected Vulnerabilities Excludes known false positive and intentional defects Density = 120 per MLoC
  • Slide 12
  • Coverity Security Advisor Stats 12 Enterprise Web-apps, Selected Detected Vulnerabilities
  • Slide 13
  • Recovering from an attack Difficult to distinguish real and forged requests Both come from the clients browser Hard to automatically unwind a large attack 13 > cat /var/log/tomcat7/my.access.log 10.0.0.1 [01/Oct/2014:10:32] GET /transfer&acct=12345?amount=1000 10.0.0.1 [01/Oct/2014:10:34] GET /transfer&acct=12345?amount=1000 > cat /var/log/tomcat7/my.access.log 10.0.0.1 [01/Oct/2014:10:32] GET /transfer&acct=12345?amount=1000 10.0.0.1 [01/Oct/2014:10:34] GET /transfer&acct=12345?amount=1000 Legitimate Forged
  • Slide 14
  • An Ounce of Protection 14
  • Slide 15
  • Dispelling Bad Memes POST requests HTTPS More complex session identifiers Multiple cookies Length or randomness Expiration Are you sure? dialogs 15 Not Sufficient
  • Slide 16
  • Header Validation Referrer validation Header is not always present! Privacy-sensitive users and organizations may strip HTTPS to HTTP requests Be lenient and insecure? Strict and inaccessible? 16 HTTP request: GET /transfer HTTP/1.1 Referer: http://secure_site.com GET /transfer HTTP/1.1 Referer: http://secure_site.com
  • Slide 17
  • Header Validation Custom headers Must always use JavaScript XMLHttpRequest Wont work with HTML forms Relies on the browsers same-origin policy 17 HTTP request: POST /transfer HTTP/1.1 X-My-Header: trust me! POST /transfer HTTP/1.1 X-My-Header: trust me!
  • Slide 18
  • Protection 101 Most general solution: secret tokens Server generates a shared secret token Included as a hidden form parameter Server checks token validity for protected requests 18
  • Slide 19
  • Protection 101 Relies on the browsers same-origin policy: DOM is inaccessible to pages from another site Token is unguessable Cryptographically secure random value Token is temporary Session lifetime is typical Shorter lifetimes may interfere with browsing 19
  • Slide 20
  • --- Transfer Money --- $100.00 Amount To Account: Mom Send How Secret Tokens Foil Attackers 20 POST /transfer HTTP/1.1 Cookie: session=2A7B2F293D acct=12345&amount=1000 POST /transfer HTTP/1.1 Cookie: session=2A7B2F293D acct=12345&amount=1000& anti-csrf=82d920bfc HTTP request:
  • Slide 21
  • Implementation 21
  • Slide 22
  • Protection in Practice What to protect? How to protect? 22
  • Slide 23
  • Whats vulnerable? Protect requests that modify the web-app state: Database updates Setting session attributes Writing to the file-system Login pages Integration with other back-end services 23
  • Slide 24
  • There need to be holes Not everything should be protected Landing pages Stateless requests Unauthenticated form submissions Bookmark-able pages 24
  • Slide 25
  • Implementation choices 1. Manual checks 2. Servlet filters (or similar) 3. Use a library 25
  • Slide 26
  • Implementation choices 1. Manual checks 26
  • Slide 27
  • Implementation choices 1. Manual checks Tight coupling of functionality & security Fine-grained control of protection High developer burden More opportunities for mistakes 27 Servlet Container Servlet Container handleRequest ServletFilter. doFilter handleRequest
  • Slide 28
  • 2. Servlet Filters (or similar) Loose coupling of functionality and security Need correct behavior in two pieces of code Implementation choices 28 Servlet Container Servlet Container handleRequest ServletFilter. doFilter
  • Slide 29
  • Implementation choices 3. Anti-CSRF Libraries Avoid errors in token generation and management Limited configuration of coverage pattern Known security weaknesses Example: exposing tokens during cross-domain requests 29 OWASP CSRFGuard Spring Security 3.2 Apache csrf-filter
  • Slide 30
  • Challenges 30
  • Slide 31
  • What are the challenges? Implementing the exceptions Requires security and development expertise Organizational roles may not overlap Retrofitting an existing system is hard 31
  • Slide 32
  • Best Practice: Use correct HTTP verbs REST-fulness makes CSRF protection much easier HTTP verbs are a language that: Is meaningful to developers Capture the security obligation 32 GETPOST/PUT/DELETE No side effectsHave side effects Not vulnerableVulnerable Developer Security Auditor
  • Slide 33
  • Dont : Subvert HTTP verbs 33 Its easy and tempting to do public class AbstractCartController { /* The addItem method adds a product items with one or more * quantity to the cart by adding thes * item to a list and calling the addItems method. */ @RequestMapping(value = "/addItem.htm", method = {RequestMethod.GET, RequestMethod.POST}) public String addItem(@RequestParam(required=false) Boolean ajax, @ModelAttribute("addToCartItem") AddToCartItem addToCartItem, BindingResult errors, ModelMap model, HttpServletRequest request) {... } public class AbstractCartController { /* The addItem method adds a product items with one or more * quantity to the cart by adding thes * item to a list and calling the addItems method. */ @RequestMapping(value = "/addItem.htm", method = {RequestMethod.GET, RequestMethod.POST}) public String addItem(@RequestParam(required=false) Boolean ajax, @ModelAttribute("addToCartItem") AddToCartItem addToCartItem, BindingResult errors, ModelMap model, HttpServletRequest request) {... } Example Spring MVC 3.0 Controller: What about? @RequestMapping(/addItem.html) What about? @RequestMapping(/addItem.html)
  • Slide 34
  • The alternative isnt pretty 34
  • Slide 35
  • Avoid : Complex Exception Logic Defining a configuration language? 35 MyCSRFFilter exceptions,/,/index.jsp,/login.jsp,/organizations,/wafs,/configuration,/reports, /j_spring_security_check,/j_spring_security_logout,/images/*, /styles/*,/scripts/*,/jasper/*,/rest/*, regex ^/rest/, regex ^/organizations/[0-9]+/applications/[0-9]+/scans/new/ajax_cwe$, regex ^/organizations/[0-9]+/applications/[0-9]+/scans/new/ajax_url$, regex ^/organizations/[0-9]+/applications/[0-9]+/table$, regex ^/organizations/[0-9]+/applications/[0-9]+/defectTable$, regex ^/organizations/[0-9]+/applications/jsontest$, regex ^/organizations/[0-9]+/applications/[0-9]+/scans/[0-9]+/table$ regex ^/organizations/[0-9]+/applications/[0-9]+/falsepositives/table$ regex ^/organizations/[0-9]+/applications/[0-9]+/scans/[0-9]+/unmappedTable$ MyCSRFFilter exceptions,/,/index.jsp,/login.jsp,/organizations,/wafs,/configuration,/reports, /j_spring_security_check,/j_spring_security_logout,/images/*, /styles/*,/scripts/*,/jasper/*,/rest/*, regex ^/rest/, regex ^/organizations/[0-9]+/applications/[0-9]+/scans/new/ajax_cwe$, regex ^/organizations/[0-9]+/applications/[0-9]+/scans/new/ajax_url$, regex ^/organizations/[0-9]+/applications/[0-9]+/table$, regex ^/organizations/[0-9]+/applications/[0-9]+/defectTable$, regex ^/organizations/[0-9]+/applications/jsontest$, regex ^/organizations/[0-9]+/applications/[0-9]+/scans/[0-9]+/table$ regex ^/organizations/[0-9]+/applications/[0-9]+/falsepositives/table$ regex ^/organizations/[0-9]+/applications/[0-9]+/scans/[0-9]+/unmappedTable$ Example web.xml:
  • Slide 36
  • Avoid : Complex Exception Logic 36 URI startsWith(String) ? URI startsWith(String) ? URI equals(String) ? URI equals(String) ? URI matches(Pattern) ? URI matches(Pattern) ? URI equals(String) ? URI equals(String) ? parameters contain(String) ? parameters contain(String) ? parameters Empty ? parameters Empty ? Hard-coded literals Hard-coded literals Properties Files Parsed XML Settings Parsed XML Settings List ArrayList List Require CSRF Token Require CSRF Token Bypass CSRF Check Bypass CSRF Check XML Tree Y Y Y Y Y Y N N N N N N
  • Slide 37
  • Do : Verify Enforce that HTTP verbs are used properly Carefully evaluate any exceptions Are the requests handlers changing server state? How to even tell? 37
  • Slide 38
  • Dont : Hidden Behaviors There method has a side effect. Can you spot where? Would you expect a security auditor to find this? 38 public String doRootContent() throws Exception { Document doc = DocumentHelper.createDocument(); ContentVO rootContent = ContentController.getContentController().getRootContentVO(repositoryId, getPrincipal().getName(), true); doc.add(getPlainContentElement(rootContent)); } Example web request handler: Writes to DB
  • Slide 39
  • Can we make our lives easier? 39
  • Slide 40
  • Tools can be helpful Static analysis approach: Automatically identify methods that update state Automatically computes coverage patterns Filter URIs Manual protection Library set-up 40 State Updates Missing Coverage CSRF Vulnerabilities
  • Slide 41
  • Coverity Security Advisor: Interface 41 http://triage:8080/ List of all issues Source code, Annotated with info List of all events: Essential elements of vulnerability
  • Slide 42
  • Coverity Security Advisor 42 State update Request handler
  • Slide 43
  • Coverity Security Advisor 43 Analysis is interprocedural
  • Slide 44
  • Coverity Security Advisor 44 javax.persistence.EntityManager.merge();
  • Slide 45
  • Coverity Security Advisor Remediation advice is critical Highlights example of valid protection 45 exploitProtectionService.compareToken(csrfToken); Example CSRF check
  • Slide 46
  • Were you paying attention? 46
  • Slide 47
  • Coverity Security Advisor 47 @RequestMapping(value = /saveReview.htm, method = {RequestMethod.GET}) @RequestMapping(value = /saveReview.htm, method = {RequestMethod.GET})
  • Slide 48
  • Conclusions 48
  • Slide 49
  • Conclusions Sound CSRF protection is hard Keep it simple! HTTP verbs provide a common language Captures security obligations Be clear about side effects Verification is important! 49
  • Slide 50
  • Q&A https://www.coverity.com For a free Java software quality evaluation: https://www.code-spotter.com