web application security | beginner session - cross site request forgery
DESCRIPTION
null Bangalore February meetTRANSCRIPT
CSRF/XSRF? (pronounced as ‘sea-surf’)
It’s BAD. How?
1
How?
Suppose you have an online bank account and you’re already authenticated (you have already logged-in).
2
How?
Now, you clicked on link from another website, maybe from a comment. Ex.
<a href=”http://bankwebsite.com/transfermoney.hmtl”>I posted photos</a>This will just look like: I posted photos
3
How?
Your bank website would not know that is not really your intention.
4
What is it? Attacker exploits the fact that the victim is authenticated to
a website Identifying the attacker can be difficult
What can it do? Proxy requests/commands for the attacker from the victim’s
browser
Even POSTS can be forged as GET requests in some cases Web forms One Click Demo in module
5
How it is exploited? Can be very simple – Image link in email, script on a blog,
simple link Attackers gets user to
Click a specially crafted link (or inject JavaScript to a site victim visits) Execute a request (can be very simple as requesting an image url in email)
Innocently browsing a web site Can users include hrefs or Image links to your site? Link to bad url
Ever click “view images” in an email? All browsers happily send over credentials if already
logged on If already logged in (forms auth) the cookie is sent over even for an
image request
6
CSRF – HOW IT IS EXPLOITED?
DEMO
7
CSRF – HOW IT IS EXPLOITED?
DEMO – Repeatability is the key
8
CSRF – HOW IT IS EXPLOITED?
DEMO – Piggyback with some other attack like XSS
9
CSRF – POSTs protect me They do, don’t they? Don’t they? Hello?
Web Forms One Click attack Page.IsPostBack doesn’t always tell the truth A button click doesn’t always mean someone click the button
10
How do you prevent it? All Web Apps
Ensure GET only retrieves a resource (as per HTTP Spec) No state is modified POSTS/PUT/DELETE can be forged, must take additional
precautions Try to make requests unique and non-repeatable
11
CSRF Defenses CAPTCHA
Attacker must know CAPTCHA answer Assuming a secure implementation
Re-Authentication Password Based
○ Attacker must know victims password○ If password is known, then game over already!
One-Time Token○ Attacker must know current token○ Very strong defense!
Unique Request Tokens Attacker must know unique request
token for particular victim for particular session Assumes token is cryptographically secure and not disclosed.
○ /accounts?auth=687965fdfaew87agrde …
12
Web Forms – CSRF Prevention
DEMO
13