Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé...
-
Upload
silvia-montgomery -
Category
Documents
-
view
216 -
download
0
Transcript of Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé...
![Page 1: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/1.jpg)
Cross Site Request Forgery
CSE 591 – Security and Vulnerability Analysis
Spring 2015
Adam Doupé
Arizona State University
http://adamdoupe.com
![Page 2: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/2.jpg)
Adam Doupé, Security and Vulnerability Analysis
HTML Review
<!DOCTYPE html><html> <head> <meta charset="UTF-8"> <title>img Example</title> </head> <body> <img src="http://example.com/image.jpg"> <img src="http://www.gravatar.com/avatar/f0a8d601858c94f1cd563e2402eda4d8?s=20"> </body></html>
![Page 3: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/3.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 4: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/4.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 5: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/5.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 6: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/6.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 7: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/7.jpg)
Adam Doupé, Security and Vulnerability Analysis
How is the HTTP request created?
<!DOCTYPE html><html> <head> <meta charset="UTF-8"> <title>img Example</title> </head> <body> <img src="https://www.facebook.com"> </body></html>
![Page 8: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/8.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 9: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/9.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 10: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/10.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 11: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/11.jpg)
Adam Doupé, Security and Vulnerability Analysis
HTML Forms Review
<form action="http://example.com/grades/submit"> <input type="text" name="student" value="bar"> <input type="text" name="class"> <input type="text" name="grade"> <input type="submit" name="submit"></form>
http://example.com/grades/submit?student=Adam+Doupé&class=cse+591&grade=A%2B&submit=Submit
![Page 12: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/12.jpg)
Adam Doupé, Security and Vulnerability Analysis
HTML Links
<!DOCTYPE html><html> <head> <meta charset="UTF-8"> <title>img Example</title> </head> <body> <a href="http://example.com/grades/submit?student=shadow&class=cse+591&grade=A%2B&submit=Submit">Click me for a free iPhone 6!</a> </body></html>
![Page 13: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/13.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 14: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/14.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 15: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/15.jpg)
Adam Doupé, Security and Vulnerability Analysis
From the Web Application's Perspective
• Two requests from http://example.com/grades/submit– One from the form we showed the user– One from the link the user was tricked on clicking
• Two different intentions from the users' perspective– One the user wanted to submit the form (take the
action)– One the user was just clicking a link
• Both requests look identical to the application!
![Page 16: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/16.jpg)
Adam Doupé, Security and Vulnerability Analysis
Even Worse
<!DOCTYPE html><html> <head> <meta charset="UTF-8"> <title>Even Worse</title> </head> <body> <img src="http://example.com/grades/submit?student=shadow&class=cse+591&grade=A%2B&submit=Submit"> </body></html>
![Page 17: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/17.jpg)
Adam Doupé, Security and Vulnerability Analysis
Even Worse
• As we have seen, our browser will automatically make the request to example.com when it encounters an img tag
• So we just need to get the user to visit our site (or otherwise load an img tag that we control the src)
![Page 18: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/18.jpg)
Adam Doupé, Security and Vulnerability Analysis
POST to the Rescue<form action="http://example.com/grades/submit" method="POST"> <input type="text" name="student" value="bar"> <input type="text" name="class"> <input type="text" name="grade"> <input type="submit" name="submit"></form>
POST /grades/submit HTTP/1.1Host: example.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 68
student=Adam+Doup%C3%A9&class=cse+591&grade=A%2B&submit=Submit+Query
![Page 19: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/19.jpg)
Adam Doupé, Security and Vulnerability Analysis
POST to the Rescue?<!DOCTYPE html><html> <head> <meta charset="UTF-8"> <title>Attacker</title> </head> <body>
<form action="http://example.com/grades/submit" method="POST" id="csrf"> <input type="text" name="student" value="shadow"> <input type="text" name="class" value="cse 591"> <input type="text" name="grade" value="A+"> <input type="submit" name="submit"></form><script>
HTMLFormElement.prototype.submit.call(document.getElementById("csrf"));</script> </body></html>
![Page 20: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/20.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 21: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/21.jpg)
Adam Doupé, Security and Vulnerability Analysis
![Page 22: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/22.jpg)
Adam Doupé, Security and Vulnerability Analysis
Cross-Site Request Forgery
• An attacker can force your browser to make a request to the web application
• If there is not guarantee that the user intended to make the request Cross-Site Request Forgery is possible
• CSRF or XSRF
![Page 23: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/23.jpg)
Adam Doupé, Security and Vulnerability Analysis
CSRF Countermeasures
• Server-side code must generate a (random and unguessable) nonce, and that nonce must be included in very sensitive (state-changing) request
<form action="http://example.com/grades/submit" method="POST"> <input type="text" name="student"> <input type="text" name="class"> <input type="text" name="grade"> <input type="hidden" name="nonce" value="86265964993938188445"> <input type="submit" name="submit"></form>
![Page 24: Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University .](https://reader038.fdocuments.in/reader038/viewer/2022110206/56649cdf5503460f949a8895/html5/thumbnails/24.jpg)
Adam Doupé, Security and Vulnerability Analysis
Summary
• CSRF is subtle but critical vulnerability• Using cookies as a session is not enough,
also need a nonce for state-changing requests