Intro to Web attacks - ENSIMAG · 2011. 6. 14. · •Lecturers: VIPRET Julien and MOUGEY Camille...
Transcript of Intro to Web attacks - ENSIMAG · 2011. 6. 14. · •Lecturers: VIPRET Julien and MOUGEY Camille...
• Lecturers: VIPRET Julien and MOUGEY Camille
Intro to Web attacks CSRF
SecurIMAG
2011-05-26
WARNING: SecurIMAG is a security club at
Ensimag. Thoughts, ideas and opinions are not
related to Ensimag. The authors assume no
liability including for errors and omissions.
¡¡_ (in)security we trust _!!
Grenoble INP
Ensimag
Summary
2
CSRF, the unknown :
• Brief presentation about lecturers
• CSRF Presentation, working explanation
• How to protect myself ?
• Questions
Brief presentation about lecturers
3
VIPRET Julien
1A ENSIMAG
Next year : SLE
Beginner in computer security
Contact : vipretj__[at]__ensimag.fr
MOUGEY Camille
1A ENSIMAG
Next year : ISI
Beginner in computer security,
Web fan
Contact : mougeyc__[at]__ensimag.fr
CSRF Presentation, working explanation
(1/4)
4
• CSRF = Cross Site Request Forgery • CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference
Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many
places in their online documentation.
• Purpose : enforce a web request to a pre-authenticated user on a
website
• Principle :
1
2
3
Execution of a query with victim’s permissions, without his knowledge
Mail from Evil with a malicious link
Normal consultation of a website
<iframe src=http://www.exemple.com/admin.php?adduser=CSRF&privilege=admin>
CSRF Presentation, working explanation
(2/4)
5
• In reality : HTML <img> use, mail..
• Threats on local network too
CSRF Presentation, working explanation
(3/4)
6
• Potentially, ALL applications which retain session are
vulnerable
• The evilman has just to know the architecture of the
target application
• Open source, fired network admin, …
• Introduce fineness in attacks (Login CSRF) • Login Google, Yahoo
• Paypal
• iGoogle
• CSRF is not XSS
Aside : Login CSRF : Google, Yahoo
7
With a CSRF attacks, the user is connected on Google as « Evil »
Each Request is stored on Google « Evil » Search History
The Striker (« Evil » account owner) has now access to victim’s Search History
• Allow to get victim’s search request on Google, Yahoo
Aside : Login CSRF : iGoogle
8
Connected as [email protected]
Connected as [email protected]
Login CSRF Accept iGoogle Gadget with origin :
www.google.com
Inject XSS with origin : www.google.com
• Allow to use XSS with origin www.google.com (See SOP)
CSRF Presentation, working explanation
(4/4)
9
• Demonstration: ==DB-Protect 1.0==
• Real example : Or how to get the real
name of your visitors
with LIKE button
login=julien&pass=azerty&privilege=admin
How to protect myself ? (1/3)
10
• Although the HTTP specification [Tim Berners-Lee, Roy Fielding, and Henrik Frystyk.Hypertext Transfer Protocol—HTTP/1.0. RFC
1945,May 1996.] requires GET requests to be free of side effects, some sites do not comply with this requirement.
• Using only POST
• The misconception is that since the attacker cannot construct a
malicious link, a CSRF attack cannot be executed.
• Form automatically triggered on malicious website
• Referer ?
• Not adapted…
• Main reason : There are browsers which don’t send Referer
• On the same website, referer is « valid »
• But very efficient in a few cases : http://seclab.stanford.edu/websec/csrf/csrf.pdf
• Project « Origin »
2 : Browser send HTTP Referer (i.e. calling page URL)
1
2 Referer:
www.exemple.com/index.php?q=others
How to protect myself ? (2/3)
11
• Introduce entropy
• Token : o Random data
o Random variable name
• Double Validation
• /!\ : With XSS, protections can
be contourned • See SAMY Worms on MySpace (2005)
How to protect myself ? (3/3)
12
• But there are server side protections
What about a server which totally trusts alreday logged
in clients ?
• For mail :
• Don’t allow HTML automatic interpretations
• Don’t save login in the browser
• Don’t use « remember me » option
• Don’t follow suspicicious links
• Always disconnect when you’ve finished
• CRSF Prevention Cheat Sheet : https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
Questions
13
• Questions ?
• Webographie Actu-Secu n°11 (February 2007). http://www.xmcopartners.com/actu-secu/actu_secu_fevrier2007.pdf "Confused Deputy" http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html Isecpartners white paper http://www.isecpartners.com/documents/XSRF_Paper.pdf Cgisecurity FAQ: http://www.cgisecurity.com/articles/csrf-faq.shtml